Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Shopica


  • Please log in to reply
21 replies to this topic

#1 kury

kury

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 17 July 2009 - 07:44 PM

Hi. Even though this is supposed to be a forum for determining whether or not your computer is infected, I'm absolutely sure that my computer is infected. About three weeks ago, whenever I opened firefox it took forever to load. Additionally, whenever I did a google search, I would get redirected somewhere else every time. the most common of these redirects was to Shopica.com. I have since downloaded malware bytes, superantispyware, and AVG. I even used the ESET online scanner. After the first time with each scan, something malicious would be found, and deleted. This had the effect of making redirects happen very infrequently, and redirects to Shopica.com itself had stopped. Until today. I rescanned with all of the above mentioned programs, and have found nothing as of today. Haven't had any redirects either, but I believe that since I wasn't able to remove anything, whatever it is that is causing the redirects must still be there. Please help, this thing is evil and I want it off my computer before I take the Bar Exam. Any and all help would be appreciated.

Edited by kury, 17 July 2009 - 07:45 PM.


BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:16 AM

Posted 17 July 2009 - 08:58 PM

Hello and welcome to Bleeping Computer

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Please run ATF and SAS:
Credits to Boopme

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Edition

Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
Computer Pro

#3 kury

kury
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 18 July 2009 - 03:30 PM

Alright, after 3 hours and 82000+ files, here is the SAS log. As anticipated, it found nothing wrong with my laptop, and this is after I had updated it.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/18/2009 at 01:02 AM

Application Version : 4.26.1006

Core Rules Database Version : 4003
Trace Rules Database Version: 1943

Scan type : Complete Scan
Total Scan Time : 02:58:42

Memory items scanned : 221
Memory threats detected : 0
Registry items scanned : 5062
Registry threats detected : 0
File items scanned : 82219
File threats detected : 0

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:16 AM

Posted 18 July 2009 - 03:41 PM

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Chewy

No. Try not. Do... or do not. There is no try.

#5 kury

kury
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 18 July 2009 - 04:57 PM

Hi. I used gooredfix although it didn't really correspond to the directions you gave me. All it had was three options: find goored, fix goored, and exit. Not knowing which to pick, I simply chose the first option, and this is the log of that option:

GooredFix v1.92 by jpshortstuff
Log created at 14:51 on 18/07/2009 running Option #1 (dungeon master)
Firefox version 3.0.11 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.11\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.11\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"
______________________________________________________________________

I do not know if those are actual files that it has deleted, or this is just the programs way of telling me that these are still there and have been flagged as the suspect files.

This brings up a related question. I recently had to get rid of Mcafee antivirus because it refused to let me connect to the internet for some reason. Once I did this I tried to switch to AVG. I am unaware if AVG ever updated, but it certainly can't update now. Is this because of these suspected files, or could it be for some other reason?

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:16 AM

Posted 18 July 2009 - 05:04 PM

Please download and run the new version, yours is old

Please download and run Processexplorer

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

copy and paste into a reply
Chewy

No. Try not. Do... or do not. There is no try.

#7 kury

kury
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 18 July 2009 - 05:08 PM

OK, here is the log from the new gooredfix application, which I downloaded from one of the mirrors.

GooredFix by jpshortstuff (12.07.09)
Log created at 15:06 on 18/07/2009 (dungeon master)
Firefox version 3.0.11 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [18:17 26/08/2005]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox" [08:25 24/05/2009]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF" [08:25 24/05/2009]

-=E.O.F=-

#8 kury

kury
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 18 July 2009 - 05:12 PM

Sorry, forgot the process explorer log. Here it is.

Process PID CPU Description Company Name
System Idle Process 0 98.46
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 892 Windows NT Session Manager Microsoft Corporation
csrss.exe 948 Client Server Runtime Process Microsoft Corporation
winlogon.exe 980 Windows NT Logon Application Microsoft Corporation
services.exe 1028 1.54 Services and Controller app Microsoft Corporation
ati2evxx.exe 1212 ATI External Event Utility EXE Module ATI Technologies Inc.
svchost.exe 1244 Generic Host Process for Win32 Services Microsoft Corporation
1XConfig.exe 1280 8021XConfig Module Intel
wmiprvse.exe 2624 WMI Microsoft Corporation
svchost.exe 1356 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1416 Generic Host Process for Win32 Services Microsoft Corporation
wscntfy.exe 2132 Windows Security Center Notification App Microsoft Corporation
wuauclt.exe 3728 Windows Update Automatic Updates Microsoft Corporation
EvtEng.exe 1476 EvtEng Module Intel Corporation
S24EvMon.exe 1592 Event Monitor - Supports driver extensions to NIC Driver for wireless adapters. Intel Corporation
WLKEEPER.exe 1652 WLKEEPER IntelŪ Corporation
svchost.exe 1820 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1952 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 700 Spooler SubSystem App Microsoft Corporation
svchost.exe 1812 Generic Host Process for Win32 Services Microsoft Corporation
avgwdsvc.exe 1168 AVG Watchdog Service AVG Technologies CZ, s.r.o.
avgrsx.exe 2080 AVG Resident Shield Service AVG Technologies CZ, s.r.o.
avgnsx.exe 2184 AVG Network scanner Service AVG Technologies CZ, s.r.o.
MDM.EXE 1680 Machine Debug Manager Microsoft Corporation
NicConfigSvc.exe 1892 Internal Network Card Power Management Service Dell Inc.
RegSrvc.exe 240 RegSrvc Module Intel Corporation
svchost.exe 376 Generic Host Process for Win32 Services Microsoft Corporation
ViewpointService.exe 472 ViewMgr Viewpoint Corporation
WebUpdateSvc4.exe 596 Web Update Wizard Service (V4) Data Perceptions / PowerProgrammer
alg.exe 836 Application Layer Gateway Service Microsoft Corporation
lsass.exe 1040 LSA Shell (Export Version) Microsoft Corporation
ati2evxx.exe 1500 ATI External Event Utility EXE Module ATI Technologies Inc.
ZCfgSvc.exe 1856 ZeroCfgSvc MFC Application Intel Corporation
explorer.exe 2028 Windows Explorer Microsoft Corporation
Apoint.exe 1348 Alps Pointing-device Driver Alps Electric Co., Ltd.
iFrmewrk.exe 1640 Intel Framework MFC Application Intel Corporation
dlbtbmgr.exe 1704 Dell Dell 922 Button Manager
dlbtbmon.exe 2088 Dell Dell 922 Button Monitor
issch.exe 2216 InstallShield Update Service Scheduler InstallShield Software Corporation
avgtray.exe 2388 AVG Tray Monitor AVG Technologies CZ, s.r.o.
ctfmon.exe 2420 CTF Loader Microsoft Corporation
SUPERANTISPYWARE.EXE 2428 SUPERAntiSpyware Application SUPERAntiSpyware.com
DLG.exe 3856 Digital Line Detection BVRP Software
procexp.exe 1188 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
ApntEx.exe 2356 Alps Pointing-device Driver for Windows NT/2000/XP Alps Electric Co., Ltd.

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:16 AM

Posted 18 July 2009 - 05:23 PM

Let's have a brand new MBAM scan please

Please download Malwarebytes Anti-Malware (v1.39) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Chewy

No. Try not. Do... or do not. There is no try.

#10 kury

kury
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 18 July 2009 - 05:34 PM

The list is still populating for my impending removal of MBAM before I dl the new version you've suggested. Before anything else, i just want to thank you and computer pro for the help you guys have given me. For the first time I think I might actually beat this thing.

#11 kury

kury
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 18 July 2009 - 06:15 PM

The program won't run. Instead I get a message that says "The database you are using is not supported by this version of Malware Bytes anti malware. DL the latest version of the program.

#12 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:16 AM

Posted 18 July 2009 - 06:23 PM

You do not need to uninstall the previous version of Malwarebytes to install the new one. They will slipstream over each other. And are you getting the "The Database you are using is not supported by this version of Malwarebytes Anti-Malware. Download the latest version of the program" when you try to run the v1.39?
Computer Pro

#13 kury

kury
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 18 July 2009 - 06:24 PM

That is correct. Let me clarify; after I uninstalled the previous version, I dled and installed version 1.39. It was unable to update itself, much like AVG. So, I clicked the link for the updates in DaChews post and dled and installed them. Now I am unable to even open version 1.39.

Edited by kury, 18 July 2009 - 06:31 PM.


#14 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:16 AM

Posted 18 July 2009 - 07:14 PM

I sent you a link to download a new rules file for MBAM

See this thread for details on how to install the file

http://www.bleepingcomputer.com/forums/topic241642-15.html
Chewy

No. Try not. Do... or do not. There is no try.

#15 kury

kury
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 18 July 2009 - 09:04 PM

OK, here is the log after updating MBAM.

Malwarebytes' Anti-Malware 1.39
Database version: 2453
Windows 5.1.2600 Service Pack 2

7/18/2009 5:59:23 PM
mbam-log-2009-07-18 (17-59-23).txt

Scan type: Quick Scan
Objects scanned: 84098
Time elapsed: 9 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux (Trojan.JSRedir.H) -> Bad: (C:\WINDOWS\system32\..\ivuy.mcq) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\ivuy.mcq (Trojan.JSRedir.H) -> Quarantined and deleted successfully.

At this point I think it would be helpful to let you know that once I restarted my AVG immediately began updating again. I know that's a good sign, but I was wondering if there were any further steps you think I need to take to either clean up after removing those files or make the computer safer. Also, how do I create a new system restore point?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users