Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Google is being redirected- seems to be a common problem...


  • Please log in to reply
17 replies to this topic

#1 JCARegal

JCARegal

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow, Scotland
  • Local time:03:55 PM

Posted 04 August 2009 - 02:26 PM

I keep being redirected to weird sites 90% of the time i make a search on Google...some of the amazingly useful sites (NOT) that i get redirected to are:
http://4searchworld.com/search.php?q=big (a lovely polite message pops up: "Loading...Please wait a few second (yes it does actually say "Second" which is not suspicious at all :thumbsup: ) while browser redirects you...")

MFeed Search: http://direct-searches.com/ This being the most common one

Redirect: http://www.primosearch.com/

and then last of all and the least expected redirect: EBAY! ( http://www.ebay.co.uk/?rvr_id=&keyword=ebay )

As i say I don't know if this is a virus, an issue with my browser or if it's really just an issue from Google's end...However Google is still performing these lovely unauthorised redirects and it seems to be happening to a lot of people. :trumpet:

I'd be very grateful if someone could please help me.

Thanks in advance,

JCARegal :flowers:
Be happy while you're living, for you're a long time dead.
I'll be very impressed if you can pronounce Milngavie the proper way and you're not from Scotland...
Posted Image

BC AdBot (Login to Remove)

 


#2 -Always-Stoned-

-Always-Stoned-

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 04 August 2009 - 02:51 PM

i am having the same exact problems, but i am also having problems updating any of my anti-bad stuff programs :thumbsup:

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 AM

Posted 04 August 2009 - 03:25 PM

Hello we need to do 2 things here. One is fix your signature and 2 is run this malware scannner.

Please read... BleepingComputer.com Message Board Rules

Signatures are limited to 5 lines or 2000 characters; whichever comes first. If your signature is larger than the allotted size given or deemed unacceptable, you will be requested to adjust your signature. Failure to comply will result in the removal of your signature.


Only one image per signature. Images in signatures must also be no larger than 500 pixels wide X 90 pixels high. If you have more than one image you will be requested to remove one. If this is not done in a timely manner the staff has the right to modify your signature to abide by these rules.


Any links in signatures can not be commercial in nature. You also may not put links in your signature soliciting donations unless you are in certain member groups. Those member groups that are allowed will be expressly notified. If you have a personal website or off-site help resource, that is more than fine, but you can not sell products or services through your signature. Multiple links to the same site, unless for a very specific reason, are not permitted in a signature.



Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 JCARegal

JCARegal
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow, Scotland
  • Local time:03:55 PM

Posted 24 August 2009 - 08:06 AM

Hi there sorry for the late reply but was on holiday for the past two weeks...will fix that sig now :flowers:

Anyway, ran that Stopzilla spyware tool and it came up with some results:

Virus Alert: Registry key: HKLM\software\8 with three extensions off this 4 objects

Cel90xbe: Trojan: File: C:\Documents and settings\username\Local Settings\Temp\Cel90xbe.sys
with Registry entries under: HKLM\CurrentControlSet\Services\Cel90xbe 9 objects

MalPak.E: Spyware, Adware, Trojan: C:\Documents and settings\username\local settings\Temp\sintf32.dll
and C:\Documents and settings\username\local settings\Temp\sintfnt.dll

Search Hijacker.G: C:\System Volume Information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\rp6\a0001133.sys

and a couple of host files: 127.0.0.1 google.panet.org, 127.0.0.1 safer-networking.info, 127.0.0.1 www.safer-networking.info, 127.0.0.1 www.spywareinfo.com, 127.0.0.1 spywareinfo.com

and then host file.B: Trojan: 127.0.0.1 www.antispyware.com, 127.0.0.1 antispyware.com


plus a couple of cookies

MalwareBytes antimalware log:

Malwarebytes' Anti-Malware 1.40
Database version: 2687
Windows 5.1.2600 Service Pack 3

24/08/2009 13:41:02
mbam-log-2009-08-24 (13-41-02).txt

Scan type: Quick Scan
Objects scanned: 148911
Time elapsed: 27 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


hope this is of some help

thanks in advance,

JCARegal :thumbsup:
Be happy while you're living, for you're a long time dead.
I'll be very impressed if you can pronounce Milngavie the proper way and you're not from Scotland...
Posted Image

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 AM

Posted 24 August 2009 - 10:51 AM

Hello and welcome!! No problem as I just got back myself. First this advice about the Backdor Bots removed.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


Next you should run these.

Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.



Follow with an ARK by Sophos.
Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Please post back the SAS and Sophos logs,thanks.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 JCARegal

JCARegal
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow, Scotland
  • Local time:03:55 PM

Posted 27 August 2009 - 08:33 AM

Ok so for these past few days i have been performing the tasks and the computer has been running VERY slow. Norton picked up a suspicious file more than once called: MH690.A and deleted it...at least that's what it said anyway cos it said that it was found in content.IE5 folder...Sophos picked up a strange file in there too so I'm not convinced it's dead...

Here is the Sophos log:


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 27/08/2009 at 10:59:13
User "Callan" on computer "THEBOYS"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Documents and Settings\Callan\Local Settings\Temporary Internet Files\Content.IE5\G5DFKKKN\m;net=ns;u=ns-48804547_1251365916,1137efa4ad8971b,CE_Laptops_Rugged,;;kw=;tile=2;ord1=999577;sz=300x250,336x280;contx=CE_Laptops_Rugged;btg=;ord=9725049985500434[1]
Hidden: file C:\Documents and Settings\Callan\Local Settings\Temporary Internet Files\Content.IE5\6PDA8W3X\s;net=ns;u=ns-17063849_1251365912,1137efa4ad8971b,CE_Laptops_Rugged,;;kw=;tile=1;ord1=297088;sz=300x250,336x280;contx=CE_Laptops_Rugged;btg=;ord=9725049985500434[2]
Stopped logging on 27/08/2009 at 11:35:42


There is no log file in SUPERantispyware though but it DID remove 4 threats when i was logged in as administrator in safe mode...if i remember correctly, the 4 objects deleted were under the registry key HKCU\Software\8, the registry key is no longer there so I take it that it was deleted successfully

hope this helps,

Thanks in advance,

JCARegal :thumbsup:
Be happy while you're living, for you're a long time dead.
I'll be very impressed if you can pronounce Milngavie the proper way and you're not from Scotland...
Posted Image

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 AM

Posted 29 August 2009 - 11:00 PM

Ok, looks better and yes that probably happened. I had a family emergency and could not get back till now.
Do this and tell me how it's running now?

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 JCARegal

JCARegal
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow, Scotland
  • Local time:03:55 PM

Posted 31 August 2009 - 05:13 AM

That's ok, Just hope everything is ok :flowers: I had to attend a birthday party all weekend anyway so that's why i'm just replying.

Anyway, the computer seems to be running a lot faster but this might be because i uninstalled two games: Lord of the Rings: The Battle for Middle Earth 2 and the expansion pack, Return of the Witch-King. This freed up about 8 GB. Then i deleted other things that had been taking up room on my desktop and uninstalled them- this must've freed up around about another Gig. Then I ran MBAM in quick scan and it returned nothing:

Malwarebytes' Anti-Malware 1.40
Database version: 2720
Windows 5.1.2600 Service Pack 3

31/08/2009 09:01:22
mbam-log-2009-08-31 (09-01-22).txt

Scan type: Quick Scan
Objects scanned: 130701
Time elapsed: 8 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I also performed a full system scan but it didn't find anything either. I'm not sure if that's ALL the "hidden objects" found and deleted...

Something weird was going on though before these scans started: Norton Internet Security was trying to perform a full system scan but kept shutting down suddenly every time this was attempted. Then of course one-click support popped up. Not sure whether this is manipulation from "another source" or if Norton needs to be uninstalled then reinstalled. Also, a friend of my dad's at that birthday at the weekend recommended that I use Avast! Antivirus. He's a computer programmer and said that he's used it for a long time and hasn't had a problem with viruses ever since.

Hope this helps,

JCARegal :thumbsup:
Be happy while you're living, for you're a long time dead.
I'll be very impressed if you can pronounce Milngavie the proper way and you're not from Scotland...
Posted Image

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 AM

Posted 31 August 2009 - 01:46 PM

Hi,yes it either needs the R&R or removal. If you are to remove then use this.
Download and run the Norton Removal Tool
Then in stall Avast or ntiVir from here.. L@@K

After all that is done...
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 JCARegal

JCARegal
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow, Scotland
  • Local time:03:55 PM

Posted 01 September 2009 - 12:08 PM

Hi Boopme, I did everything that you asked and repaired Norton and Installed Avast! even though Norton said that it is incompatible with it...anyway, did all that you said and made sure that Avast! performed a Boot time scan and it found a file in the WINDOWS file under the file name: C:/WINDOWS/SYSTEM32/ws2_32.dll...now i tried to repair the file, repair failed, so i tried to move it to the chest, move failed as it is read only, then i tried to rename and move it but failed because again, it is a read only file...i thought about deleting it and downloading a new version of this file but when i reboot in normal mode, the taskbar down at the bottom doesn't load at all, and when i try to start task manager(Ctrl+Alt+Del) the hourglass appears and i'm unable to do ANYTHING...what should i do about this trojan as Avast! won't let me do anything...I daren't try and delete it because it seems like a necessary file...

Hope you can help me again,

JCARegal :thumbsup:
Be happy while you're living, for you're a long time dead.
I'll be very impressed if you can pronounce Milngavie the proper way and you're not from Scotland...
Posted Image

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 AM

Posted 01 September 2009 - 10:41 PM

Hello ,You were to remove Norton (removal tool) and add Avast. Having 2 AV's running will cause many problems.

This step involves making changes in the registry. Always back up your registry before making any changes.

Go to Start Run and type: regedit
Click OK.
On the left side, click to highlight My Computer at the top.
Go up to File Export
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put RegBackup.
Choose to save it to C:\
Click save and then go to File Exit.
Or you can download and use ERUNTwhich is an excellent free tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed.

Click on the link below:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Scroll down to #275 and click "Lift Restrictions - TM, Regedit and CMD" in the left column. Go to File, choose "Save page as" All Files and save regtmcmdrestore.vbs to your desktop. Double-click on that file to allow the script to run and reboot when done. Since the script modifies certain registry settings your anti-virus package may warn you about it. Ignore the warning and allow it to run.


Go here and locate your Taskbar issue
http://www.kellys-korner-xp.com/taskbarplus!.htm


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Edited by boopme, 01 September 2009 - 10:42 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 JCARegal

JCARegal
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow, Scotland
  • Local time:03:55 PM

Posted 02 September 2009 - 08:39 AM

ok so done all of what was instructed but I can't update MBAM because some kind of error message came up right at startup saying that msnmsg.exe or something, gear311T and SUPERantispyware didn't start properly and had to be terminated or something with an error code along the lines of 0xc0000028 or an error along those lines...the quick scan ran and found nothing but of course Avast! is having a field day: "Caution a virus has been detected..." two minutes later ""Caution, a virus has been detected..."- an instance of C:/WINDOWS/SYSTEM32/ws2_32.dll is infected with win32:patched-KW [TRJ]" etc.

Now the machine doesn't connect to the internet and when i try typing services.msc into Run, a message pops up where the services should be saying: MMC could not create the snap-in

i think i might just have to reformat and reinstall....as you probably guessed this was my last resort :thumbsup:
I don't think i've got much of a choice now though to be honest because my PC is a vegetable now: 1/3 times, it starts up normally but then it steamrolls on probably doing more damage. I daren't delete ws2_32.dll, becuase it is a valuable system file used for networking and this is stopping my computer from functioning properly as most programs need the file, which is now corrupt with the Trojan. This explains why I can't connect to my home wireless network.

Thanks for your help so far Boopme, but can you please post a post with instructions to Reinstall after a situation like this, or alternatively post a link which will direct me to an official site instructing me how to reinstall after this?

Thanks again and hope you can still help:

JCARegal
Be happy while you're living, for you're a long time dead.
I'll be very impressed if you can pronounce Milngavie the proper way and you're not from Scotland...
Posted Image

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 AM

Posted 02 September 2009 - 09:02 AM

This new variant is wreaking havoc,sometimes a format and reinstall is good,
Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.

==============================

2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

Since we don't know exactly which infections we're dealing with here, we should take some precautions before we attempt to move files from the infected machine. Run the following on your clean computer, and make sure you insert your flash drives at the prompt.
Download and Run FlashDisinfector

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 JCARegal

JCARegal
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow, Scotland
  • Local time:03:55 PM

Posted 05 November 2009 - 06:58 AM

Hi Boopme sorry to bring this up once again but can you believe it but I have just gotten round to trying to fix this computer. Every time we try to turn it on it blue screens and does not boot. I'm going to try and tackle the computer tonight because we have guests over on Saturday night and the kids need some form of entertainment so we thought reincarnating the computer would be a good idea haha. Once we find the XP installation CD, we don't want to format the HD but we do want XP to be reinstalled and then go in and exterminate the virus. When we do this will the infected system folders such as ws2_32.dll be harmlessly restored to their original state or will the virus still reside in the machine? Is it just a case of the classic putting in the CD and booting from disk or will this require some other form of reinstallation? I have a Dell Dimension 4600 Windows XP home ed. I remember reading somewhere that Dell computers require you to press F2 to enter the boot menu? Hope you can help Boopme and again sorry for this late emergency post.

thanks,
JCARegal (again) :thumbsup:
Be happy while you're living, for you're a long time dead.
I'll be very impressed if you can pronounce Milngavie the proper way and you're not from Scotland...
Posted Image

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 AM

Posted 05 November 2009 - 12:03 PM

Hi, The repair install will Not kill any malware only fix the files that need be,
Try running this first then MBAM then Repair.
VIPRE Rescue Program


Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Then if all comes back clean do the repair..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users