Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine (Google, Bing, etc.) Link Redirect Problems


  • Please log in to reply
38 replies to this topic

#1 JHWKS4ME

JHWKS4ME

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 28 June 2009 - 05:44 AM

I don't remember the exact day it started, but for the past week or so, I have had issues when I try to click on a search result link from any search engine: Google, Bing, etc. Like so many others in different forums/posts I have read over the past few days, if I cut and paste the shortcut into the address bar and hit Enter, it takes me to the appropriate site. But if I just click on the link, I am redirected to anything from porn to shopping to completely random sites. (There is a green globe before the web address for every site I am redirected to, if that helps at all.) That seems to be the only issue I have currently, although a few days back my firewall turned off on its own. Since then, I have downloaded and run Ad-Aware and Malwarebytes' Anti-Malware software, as well as the (paid version of) Spyware Sweeper and (free version of) AVG Anti-Virus that I already had running on my system (Windows XP). At first, a trojan was found (Trojan.Backdoor.ProgDav) and after two tries, seemingly removed. I also had a Win32/Cryptor virus found and removed and two other viruses I can't recall. I have run full scans using everything I have over the past day (in both safe and regular mode) and nothing has been found. But the redirecting links problem still persists and I am worried that there are worse things happening to my computer behind the scenes that I can't detect with the naked eye. Any help would be appreciated; if I can't figure this out soon, I'm going to have to take my laptop in to a professional and I don't want to pay for that if I can help it. Thanks.

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:08 PM

Posted 28 June 2009 - 11:56 AM

hello JHWK54ME and :flowers: to Bleepingcomputer.

if I can't figure this out soon, I'm going to have to take my laptop in to a professional


methinks we're going to put these guys out of business one day :thumbsup:


Yup. . . you've got a nasty on your machine. We can get rid of it. . . but first, a warning.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

***************************************************

now. . . let's see if we can zap this bugger :trumpet:

First, could you please post the log from your malwarebytes scan? You may retrieve the log by launching the program and navigating to the Logs tab. The scan logs are listed in reverse chronological order. Please copy and paste your log here for my review.

***************************************************

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

***************************************************

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (uncheck all others):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
In your next reply, please include the following:
Malwarebytes log
SUPERAntiSpyware log

Edited by Blade Zephon, 28 June 2009 - 11:57 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 JHWKS4ME

JHWKS4ME
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 29 June 2009 - 12:48 AM

Thanks for the help! Sorry I didn't get back to you earlier, but it was over 100 degrees in my apartment today and I had to get out for a few hours. I ran the two scans and will post the two logs you asked for. Just to let you know, Avast (which I installed late last night) found 11 instances of the Win32:Alureon-BH(Rtk) virus on my computer, all in the Windows/Temp files with SKYNET in their names. Looking again at a lot of the posts on here, this SKYNET thing must be a big problem right now.

Here are the logs:

Malwarebytes' Anti-Malware 1.38
Database version: 2344
Windows 5.1.2600 Service Pack 3

6/28/2009 3:29:56 PM
mbam-log-2009-06-28 (15-29-56).txt

Scan type: Quick Scan
Objects scanned: 86789
Time elapsed: 6 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\SKYNETprjhujoj.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETyqjovtom.dll (Trojan.Agent) -> Quarantined and deleted successfully.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/28/2009 at 04:04 PM

Application Version : 4.26.1006

Core Rules Database Version : 3960
Trace Rules Database Version: 1901

Scan type : Complete Scan
Total Scan Time : 00:30:16

Memory items scanned : 277
Memory threats detected : 0
Registry items scanned : 4838
Registry threats detected : 0
File items scanned : 14343
File threats detected : 0

I await your further instructions. Since this is my only computer with Internet access, I have to use it and just hope no one is stealing anything from me. Not like I keep a lot of private stuff on it anyway. I hope we can get this fixed! Thanks again.

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:08 PM

Posted 29 June 2009 - 02:19 AM

Hello JHWK54ME,

Yup. . . this is popping up a good bit lately. It's pretty nasty too. But it can be killed.

We need to make sure that everything MBAM deleted stayed deleted. Please reboot your computer, update MBAM (they've released a few more fingerprints since you last updated, I just updated and I'm at version 2348), and run a Full Scan. When that completes, please post the log back for my review.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 JHWKS4ME

JHWKS4ME
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 29 June 2009 - 04:11 AM

Here's the latest log that you asked for. And how is this virus being spread? Can you get it by going to various (normal) websites? And if we get rid of it, will my current protection stop it from coming back? I know, I know...first things first. Let's just concentrate on killing it.

Malwarebytes' Anti-Malware 1.38
Database version: 2348
Windows 5.1.2600 Service Pack 3

6/29/2009 1:55:21 AM
mbam-log-2009-06-29 (01-55-21).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 126830
Time elapsed: 16 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{d184f8ee-ee47-433e-b745-d2327137e208}\RP1\A0003006.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:08 PM

Posted 29 June 2009 - 07:42 PM

Hello JHWK54ME,

The log looks good! It seems you got lucky and the worm wasn't able to fully install itself, or you just happened to get one of the less nasty variants. The one detection that MBAM found is not unexpected, we will deal with that by purging System Restore shortly.

In answer to your questions, this particular worm spreads via email and via infected removable drives (e.g. flash drives). To prevent reinfection via email, it is important that you never even read an email from someone you do not know, and never open an attachment if you even think it appears slightly suspicious. Personally, I don't open attachments from anyone, not even people I know, unless I was already expecting the attachment.

To deal with the flash drive issue, we can use a tool called Flash Disinfector to disable the windows component that allows files on a removable drive to execute themselves without your permission. This will also clean any flash drives you have. The only "downside" to this tool is that, from here on out, you will have to manually access all removable drives from My Computer. Not a bad trade off, but it's up to you if you want to do it or not.

So let's purge System Restore first, then we'll run Flash Disinfector.

***************************************************

Disable and Enable System Restore. - You should disable and enable system restore to make sure there are no infected files found in a restore point. You can find instructions on how to disable and enable system restore here: Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above.

***************************************************

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

***************************************************

After this. . . you should be good to go! Make sure you keep all your computer security programs updated, and run weekly quick scans with MBAM to continually protect your machine from reinfection. If you have any further questions, feel free to post them here. Surf Safe!

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 JHWKS4ME

JHWKS4ME
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 29 June 2009 - 09:25 PM

Thanks for your help. It does seem like I got lucky, huh? The one thing that seemed odd to me though is that I turned off System Restore a few days ago as I had seen different people in various forums say to do that once you have a virus. So, the Trojan shouldn't have shown up in that file if I turned off System Restore already, right? Or maybe because I only turned it off under my user name and not Administrator, it still was able to save itself in that area of my computer? Anyway, when I get home (I am at work now) I will disable and re-enable System Restore under the Administrator log-in and then run Flash Disinfector. Speaking of which, would an iPod count as a flash drive? I know technically it's more like a mini-hard drive, but if I synced my iPod to my computer before I knew I had the virus, could it have spread to my iPod? And if so, would the Flash Disinfector work on it too?

Also, in terms of Spyware, Anti-Virus and Firewall protection, what free programs would you recommend? I have been using Webroot Spyware Sweeper and am actually paying for a subscription, so I'd like to keep that through November (when my subscription is up), if possible. I also have Ad Aware on my machine now, as well. And in terms of Anti-Virus protection, I had been using AVG, but recently downloaded Avast and SuperAnti Spyware (per your instructions), as well. I am not married to any of them...I just don't want the ones I have to use up to many system resources, as I hate making my already slowish computer even slower. And speaking of slow computers, ZoneAlarm was getting so bad that I uninstalled it and went with the Windows Firewall only, but have since learned it only blocks incoming, not outgoing signals. So what would be a good, system resource-friendly (and free) firewall that you'd recommend? Even if it's ZoneAlarm, I think it would be better than just the Windows firewall. Anyway, sorry to pick your brain about this stuff, but I thought going to the experts would be the best thing to do.

Oh, and one last thing. MBAM seems like a really cool program and one that doesn't run until you activate it for scanning. I should keep that one too, right? Thanks again for your help, Blade.

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:08 PM

Posted 29 June 2009 - 10:16 PM

'ello :flowers: I'm glad to answer any questions you have, so fire away! :thumbsup:

Yes, if you are not the Administrator of the machine you will need to disable and enable system restore under that username. As far as the iPod goes, it might be possible that the worm spread to the iPod, particularly if you have it available to use as a removable drive (there's a setting through iTunes that controls this). if the worm did infect the iPod, then Flash Disinfector ought to be able to remove it. Just connect your iPod along with any other removable drives when you're running Flash Disinfector.

Just for clarity's sake:

Speaking of which, would an iPod count as a flash drive? I know technically it's more like a mini-hard drive

I might not have put my last post in quite the right terms. Sorry about that. When I said the worm spread via removable drives, I meant any removable storage device that you can access, read from, and write to just as you would your primary HD. Flash drives are just one example of this kind of device. External HD's are another. Does that make more sense?

***************************************************

Regarding security programs, there are several products free for personal use out there that I feel are just as good as (and sometimes better than) many of the commercial products. My personal choices are Avira's Antivir Personal for an antivirus, and MBAM Free as a primary antispyware tool.

I also have Spybot: Search & Destroy installed on my system to make use of it's TeaTimer and Browser Immunization features but I don't use the scan feature unless MBAM or the AV finds something, or if my system is behaving weird because a Spybot scan takes forever to run.

I used to use Ad-aware, but I dropped it from my arsenal in favor of SUPERAntiSpyware. Like Spybot, it is configured not to run unless I start it manually, which I don't do unless I have a reason (again, a detection or odd behavior). Here's the link for downloading Spybot, and if you'd like to get more information on Spybot, their homepage is http://www.safer-networking.org

For a firewall, I'd recommend Kerio

***************************************************

If you like Avast, you won't go wrong by sticking with it. It's the other antivirus I usually recommend.

An important note though: It is important that you only have 1 antivirus and 1 firewall installed on your computer at a time.

~Blade

Edited by Blade Zephon, 29 June 2009 - 10:17 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 JHWKS4ME

JHWKS4ME
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 30 June 2009 - 04:01 AM

I went ahead and turned System Restore off and on and swept using MBAM again in both safe and normal modes to be sure nothing came back. Everything came back clean. I then used Flash Disinfector to clean my two flash drives and perhaps my iPod, although I don't use it as a removable drive anyway. I then finally Googled some stuff and clicked on every one of the 10 links...and no redirect! I can't believe it! I am actually still in disbelief that this thing is gone. Knock on wood, but I have never gotten a virus of any consequence on my computer before so this really freaked me out. Anyway, is there any other test or scan I need to do to make sure everything is clean or can I finally exhale and enjoy life again?

Also, how many antispyware programs does a normal person use? I normally have just the one, but it seems you use two or three. Again, I want to keep Spyware Sweeper until my subscription runs out, but then I may dump it for Spybot, if that's the better choice. And I will keep SuperAntiSpyware and dump Ad Aware, as well, per your instructions, if it's OK to keep more than one on my system at a time. I guess that's it. I will await your response, but thanks again for eveything. You're a life saver and helped me keep some cash in my pocket!

#10 JHWKS4ME

JHWKS4ME
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 30 June 2009 - 05:20 AM

Sorry, I had one last question about the firewall. I see that you recommend Kerio...is that the paid or the free version? Because in looking at their website, it seems that the free version may not give as much protection as I could get with other free firewalls. But I also noted that it's light on resources, a big plus in my book. Comodo seems to be the one everyone says is the best free firewall, but many people complain about it blocking everything and their having to click on warnings all the time. I actually liked another popular pick, ZoneAlarm Free, but it seemed to be a resource hog and apparently doesn't do well at all in leak tests. I guess my question would be what, based on your knowledge, would be the best free firewall among the ones listed below in terms of lowest resource usage combined with solid protection and being "user friendly." I keep trying to read these forums and one will say one thing and another will say the exact opposite (ex.-ZA is a resource hog, no Comodo is, et. al.). Again, sorry to keep asking questions, but I want to get the best free firewall that I can.

* Comodo
* Zone Alarm
* Online Armor
* Outpost
* Kerio (old version or new one since Sunbelt took them over?)
* PC Tools
* any others you might recommend

Thanks again.

#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:08 PM

Posted 01 July 2009 - 03:53 AM

Hello JHWKS4ME,

Knock on wood, but I have never gotten a virus of any consequence on my computer before so this really freaked me out. Anyway, is there any other test or scan I need to do to make sure everything is clean or can I finally exhale and enjoy life again?


I don't blame you for getting a little freaked; having malware infect your system can be pretty scary if you don't know what to do. You did well though; you came and found help. Good job! :thumbsup: You can definitely exhale, and enjoy life. We can run an Online AV Scan to double check everything though. This scan can take a while, but is quite thorough. It should bring you some peace of mind :inlove:

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
***************************************************

Also, how many antispyware programs does a normal person use?


First I should ask you to define what you mean by normal :trumpet:. If you take the general definition, meaning the typical computer user posessing the typical level of knowledge regarding such matters, I would answer zero. It's remarkable how many users out there have no protection besides an antivirus, if they even have that much... :flowers: It's a disaster waiting to happen. But I digress.

As you've seen, there is not a definite limit to the number of antispyware programs you can safely have on your machine. How many you choose to have and how you run them is up to you. Each antispyware program is different in many aspects. They scan using different methods, they can more easily detect different infections, they offer different features, etc. I use MBAM and SUPERAntiSpyware (SAS) because they complement each other nicely; they scan using different methods and each will be able to find much of what the other cannot. In addition, MBAM runs much more effectively in normal mode than it does in Safe mode, while SAS is at full strength in Safe Mode. Spybot is on my system primarily because of the resident protection and browser immunization features it offers that I mentioned earlier. I wouldn't go so far as to say Spybot is better than Spyware Sweeper; I've never used Spyware Sweeper before so I can't really pass judgement on it, and I haven't heard much about it either. All legitimate antispyware programs bring something to the table, some just bring more than others.

But to get directly to the point of your question, if you keep MBAM and SAS you ought to be fine; there's not much that neither of those two won't catch, so long as you remember to keep them updated. The Spybot thing is completely optional, for me it's mainly a relic from a past antispyware setup that I kept around because I just like those features and I can set it so that those features are active without having to have the entire Spybot program running.

***************************************************

Regarding your firewall questions.

It's true that in terms of protection, Comodo outperforms Kerio. However, as you noted, Kerio is much lighter on system resources. You mentioned in an earlier post that you were looking for a good, resource-friendly firewall; that led me to recommend Kerio to you. For the average user, Kerio free version should be sufficient. There is no firewall that wins in all of the areas you mentioned. The simplest answer I can give you is this: For you, I think Kerio would be a good fit, since you had problems with ZA bogging down your machine. However, if you want to sacrifice system resources for an extra level of protection, then you should go with Comodo.

Hope that helps.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 JHWKS4ME

JHWKS4ME
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 06 July 2009 - 01:38 AM

Blade,

Thanks again for the advice. Before I got to scan my computer with Kaspersky (which I still plan to do), I did my weekly scan with MBAM and it found two more instances of a Trojan.Agent. Both were .dat files in the windows/system32 section of my computer and had "SKYNET" in the file name. Is this evidence that my first infection wasn't cleaned out completely or could this be a new infection? I quarantined the files and I've done many more MBAM scans (safe and normal modes), in addition to a Super AntiSpyware scan (safe mode), and nothing more has been found, but nonetheless, I will await your instructions on what to do next.

Also, I tried to install the Kerio firewall and my computer froze up on me. I hit cancel and it looked like it reversed the installation process, but now everytime I try to install it, I get an error saying that it already exists on my system. Any suggestions? Thanks!

P.S.-I am attaching the "infected" log along with my most recent "clean" logs in both normal and safe mode. Let me know if you need anything else. Thanks again and sorry to keep bugging you with this problem.

P.P.S.-I cleaned out the MBAM quarantine file (with all the previous Trojan infections) the other day by deleting the items in there. Would that have been a mistake and could it have caused these 2 new infections to show? If so, what should I do with the two I quarantined today?


"Infected" Log (Safe Mode):

Malwarebytes' Anti-Malware 1.38
Database version: 2377
Windows 5.1.2600 Service Pack 3

7/5/2009 3:58:51 PM
mbam-log-2009-07-05 (15-58-51).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 128187
Time elapsed: 18 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\SKYNETbyhefiyk.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETgcqhrhxe.dat (Trojan.Agent) -> Quarantined and deleted successfully.


"Clean" Log (Normal Mode):

Malwarebytes' Anti-Malware 1.38
Database version: 2378
Windows 5.1.2600 Service Pack 3

7/5/2009 9:16:08 PM
mbam-log-2009-07-05 (21-16-08).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 128677
Time elapsed: 16 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


"Clean" Log (Safe Mode):

Malwarebytes' Anti-Malware 1.38
Database version: 2378
Windows 5.1.2600 Service Pack 3

7/5/2009 10:58:55 PM
mbam-log-2009-07-05 (22-58-55).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 128520
Time elapsed: 16 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:08 PM

Posted 06 July 2009 - 01:11 PM

Hello

Interesting, albeit irritating :thumbsup:. It could be that the infection wasn't entirely removed, or it could be that an update to MBAM enabled it to find some more leftovers that it missed earlier.

I would like you to preform a simple test to let us see if this infection's rootkit is active. Please create a Notepad file and save it to your Desktop with the name Test.txt Now, close the notepad file, and right click on Test.txt on your Desktop and select Rename. Rename the file to SKYNETtest.txt. If the rootkit is still active, the file should vanish. Let me know if this happens.

Regarding the Kerio issue, check to see if there is an Add/Remove Programs entry for it. If there is. . . click Change/Rempve and follow the instructions to get rid of it. Then try installing the firewall again.

~Blade

Edited by Blade Zephon, 06 July 2009 - 01:12 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#14 JHWKS4ME

JHWKS4ME
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 06 July 2009 - 06:20 PM

Blade,

Well, the good news (I think) is that when I renamed the file, nothing happened. It didn't disappear or anything. I named it both SKYNETtest.txt and plain, old SKYNETtest and neither made the file disappear. I even went back and named it simply SKYNET and still, nothing happened. I would assume this is a good thing because if the rootkit still existed on my system, it would hide anything named SKYNET to avoid my antispyware and antivirus programs from detecting it, correct?

With regards to Kerio, I thought the same thing...that certain files may have already been installed. But I went to Add/Remove Programs and nothing having to do with Kerio or Sunbelt is there, so I can't uninstall anything. I guess I may have to give up on using it if it keeps giving me the same install error.

Let me know what to do next, if anything. Thanks again for your help.

Alex

#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:08 PM

Posted 06 July 2009 - 07:22 PM

Hello

I would assume this is a good thing because if the rootkit still existed on my system, it would hide anything named SKYNET to avoid my antispyware and antivirus programs from detecting it, correct?


Well. . . sort of. Not even the Windows OS can "see" files hidden by an active rootkit. Some malware scanners can detect these files though using special scanning methods, but traditional scans will not be able to detect them. You've got the right idea though. :thumbsup:

Regarding your firewall issue. . . when you cancelled the installation the installer apparently didn't remove all traces, so the OS still thinks you have the program installed. You can try checking system restore and see if a restore point was created before you first attempted the installation. If there is one you should try restoring back to that; hopefully that will resolve your issue. You can also try looking through your Program Files directory for a folder relating to Kerio. If one exists, see if there is an uninstaller of some sort in there. If neither of those work, let me know.

~Blade

Edited by Blade Zephon, 06 July 2009 - 07:24 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users