Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot access Gmail site or sign into google toolbar


  • Please log in to reply
25 replies to this topic

#1 margo54

margo54

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 30 August 2009 - 03:48 PM

My home pc was infected by "windows protection suite" fake spyware protection. That is when I first found I could not get to the gmail site and could not sign into google toolbar. IE just says it cannot locate the site. After removing the "windows protection suite" spyware virus, I still cannot bring up the gmail site or sign into the toolbar, however, everything else works fine and I can access other sites and email on yahoo, and windows live/hotmail and on cox. I have no problem on my netbook accessing gmail and google toolbar though. Also tried various web browsers (firefox, google chrome and internet explorer) with same results on my PC. I have scanned the computer with malware malbites, McAfee suite, spyware detector and ESET smart security (which actually removed the virus). I have also scanned with the restore off. still no luck.

BC AdBot (Login to Remove)

 


#2 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 30 August 2009 - 05:32 PM

Moved from Internet & Networking to a more appropriate forum. Tw

#3 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 30 August 2009 - 06:50 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.


Could you please update Malwarebytes by going to the "Update Tab" and then run a Quick Scan. Then post back the log.
Computer Pro

#4 margo54

margo54
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 02 September 2009 - 10:32 PM

here is the log from Malwarebytes Anti-Malware. I ran a full scan.

Malwarebytes' Anti-Malware 1.40
Database version: 2730
Windows 5.1.2600 Service Pack 3

9/2/2009 5:33:13 PM
mbam-log-2009-09-02 (17-33-13).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|I:\|J:\|)
Objects scanned: 259385
Time elapsed: 1 hour(s), 50 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

#5 margo54

margo54
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 03 September 2009 - 10:14 AM

I ran another scan with XOFTSPYSE and here is what it found. I am only listing the severe risks.

Qhost NIJ Trojan www.google.de
www.google.fr
www.google.co.uk
www.google.com.br
www.google.it
www.google.co.jp
www.google.com.mx
www.google.ca
www.google.com.au
www.google.nl
www.google.co.za
www.google.be
www.google.gr
www.google.at
www.google.se
www.google.ch
www.google.pt
www.google.dk
www.google.fi
www.google.ie
www.google.no


I hope this helps. It seemed to be more relavent to the problem.

#6 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:53 PM

Posted 03 September 2009 - 05:14 PM

Did you have it remove the threat?
Computer Pro

#7 margo54

margo54
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 04 September 2009 - 10:05 AM

yes, and it is the second or third time I have had it remove the same apparent threat. However, I still cannot get onto the gmail site (the page to login) or log into the tool bar from any web browser (google chrome, Mozilla firefox, Internet Explorer). I have run McAfee security, Malwarebytes' Anti-Malware, XOFTSPYSE, Spyware Detector. I have removed anything they found but have seen no improvement. XOFTSPYSE is the ony one that finds the list of google related trojans. When I try to go to gmail, the screen that comes up give the option to check connectivity etc. and everything comes up working ok. So, now what?

#8 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:53 PM

Posted 07 September 2009 - 06:39 PM

Lets check for rootkits:

Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K
Unzip that to your Desktop and then click RootRepeal.exe to open the scanner.

*Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the FILES tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High


Note 2: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
Computer Pro

#9 margo54

margo54
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 08 September 2009 - 07:27 AM

ok, I will have to wait till I get home from work tonight. thanks, hope this works

#10 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:53 PM

Posted 08 September 2009 - 06:17 PM

Ok, i will be waiting for the log.
Computer Pro

#11 margo54

margo54
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 08 September 2009 - 06:40 PM

ok, here it is.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/08 19:36
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\sqlite_g3b4ceboxezdtep
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_g9tqso7mniaviky
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_gufpedmyq7ff4bs
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_iqp3d0omvxt8ohu
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_jmmennihokhkol6
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_mtoy98n96wxmkk9
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_o9mxwfeux5g4wfb
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_obtmk0r9yuofwx4
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_skcsksp5ntiu6ty
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_miixvoi5tgxpqwe
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\perflib_perfdata_65c.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\sqlite_viengiekkyihszt
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_vkidl1yndoxveri
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_9sgmeb1yanschy3
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_abisvakdkagghml
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_avz1iolgsacfxnd
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_c4ptik8l0ynso7a
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_cgxmawlbyze1ueq
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_ck6y7lydmlsn9tu
Status: Allocation size mismatch (API: 4096, Raw: 0)

#12 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:53 PM

Posted 08 September 2009 - 07:26 PM

Another opinion:

Please download Sophos Anti-rootkit& save it to your desktop.
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Credits to DaChew
Be sure to print out and read the User Manualand Release Notes
Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
Make sure the following are checked:
o Running processes
o Windows Registry
o Local Hard Drives

Click Start scan.
Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
o Files tagged as Removable: No are not marked for removal and cannot be removed.
o Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
o Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
After reboot, a dialog box displays the files you selected for removal and the action taken.
Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
Disconnect from the Internet or physically unplug you Internet cable connection.
Clean out your temporary files.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Computer Pro

#13 margo54

margo54
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 09 September 2009 - 07:15 AM

ok, it will probably be around the same time when I get it finished. This one seems more involved too.

#14 margo54

margo54
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 09 September 2009 - 06:15 PM

ok here is the log from the scan. everything came up as "Files tagged as removable: Yes (but clean up not recommended) so nothing was checked or removed.



Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 9/9/2009 at 17:47:46
User "Margo" on computer "HOME"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
Hidden: file C:\Program Files\Netscape\Netscape 6\components\gkcontent.dll
Hidden: file C:\Program Files\Common Files\Roxio Shared\DLLShared\RoxIPP30.dll
Hidden: file C:\bundle\Works\PFILES\MSWORKS\GDIPLUS.DLL
Hidden: file C:\Program Files\Common Files\Microsoft Shared\Grphflt\fpx32.flt
Hidden: file C:\Program Files\Microsoft Works\1033\msgr3en.dll
Hidden: file C:\Documents and Settings\Margo\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_0001ea
Hidden: file C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
Hidden: file C:\Documents and Settings\Margo\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\Shockwave3dAsset\Shockwave 3d Asset.x32
Hidden: file C:\Documents and Settings\Derrick\Local Settings\Temporary Internet Files\Content.IE5\8S84CNBD\ion%3Dmail[1].readmessage%26userid%3D30838304%26type%3Dinbox%26messageid%3D393830307%26fed%3Dtrue%26mytoken%3Dd255dea2-003c-43cd-af69-474b64b1e4ee,;ord=1187101376
Hidden: file C:\Documents and Settings\Derrick\Local Settings\Temporary Internet Files\Content.IE5\M4EIH8Y0\ion%3Dmail[1].readmessage%26userid%3D30838304%26type%3Dinbox%26messageid%3D393830307%26fed%3Dtrue%26mytoken%3Daa6bd99a-acda-4418-b4d5-d44977802dff,;ord=1187101247
Hidden: file C:\Documents and Settings\Derrick\Local Settings\Temporary Internet Files\Content.IE5\EPQKT2ZM\ion%3Dmail[1].readmessage%26userid%3D30838304%26type%3Dinbox%26messageid%3D393835494%26fed%3Dtrue%26mytoken%3D05548028-7ce8-4994-a320-d869790ffb01,;ord=1187101337
Hidden: file C:\WINDOWS\$NtServicePackUninstall$\hwxjpn.dll
Hidden: file C:\Program Files\ArcSoft\Camera Suite\ShowBiz DVD 2\VDibTool.dll
Hidden: file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\20H39A59\110.mail.live.com_mail_InboxLight[1].aspx%3FFolderID%3D00000000-0000-0000-0000-000000000001%26InboxSortAscending%3DFalse%26InboxSortBy%3DDate%26n%3D963243454
Hidden: file C:\Documents and Settings\Derrick\Local Settings\Temporary Internet Files\Content.IE5\M4EIH8Y0\AAAAA,,http%3A%2F%2Fviewmorepics.myspace.com%2Findex[1].cfm%3Ffuseaction%3Dviewimage%26friendid%3D162412026%26albumid%3D819129%26imageid%3D8690683,;ord=1187040541
Hidden: file C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzims12.dll
Hidden: file C:\Program Files\Makayama Interactive\Motorola Media Studio demo\Motorola Media Studio HGO.exe
Hidden: file C:\Program Files\HP\Digital Imaging\bin\CoolType.dll
Hidden: file C:\WINDOWS\system32\Macromed\Shockwave 10\dirapi.dll
Hidden: file C:\WINDOWS\system32\Macromed\Shockwave 10\Xtras\Flash Asset.x32
Hidden: file C:\WINDOWS\system32\Macromed\Shockwave 10\Xtras\Shockwave 3d Asset.x32
Hidden: file C:\Program Files\QuickTime\QuickTimePlayer.exe
Hidden: file C:\Documents and Settings\Margo\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\FlashAsset\Flash Asset.x32
Hidden: file C:\Documents and Settings\Derrick\Local Settings\Temporary Internet Files\Content.IE5\IDOWW1W9\.es0YAAAAA,,http%3A%2F%2Fviewmorepics.myspace.com%2Findex[1].cfm%3Ffuseaction%3Dviewimage%26friendid%3D30838304%26albumid%3D0%26imageid%3D14600672,;ord=1186193119
Hidden: file C:\Documents and Settings\Derrick\Local Settings\Temporary Internet Files\Content.IE5\E5HRS93A\bUwEYAAAAA,,http%3A%2F%2Fviewmorepics.myspace.com%2Findex[1].cfm%3Ffuseaction%3Dviewimage%26friendid%3D162412026%26albumid%3D0%26imageid%3D8838734,;ord=1187042438
Hidden: file C:\Documents and Settings\Derrick\Local Settings\Temporary Internet Files\Content.IE5\JUE8YKOB\dUoCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHC-wUYAAAAA,,http%3A%2F%2Fmedia.adrevolver[1].com%2Fadrevolver%2Fbanner%3Fplace%3D16874%26cpy%3D1187102319933,;ord=1187102320
Hidden: file C:\Documents and Settings\Derrick\Local Settings\Temporary Internet Files\Content.IE5\M4EIH8Y0\x[1].cfm%3Ffuseaction%3Dpostimagecomment%26friendid%3D162412026%26albumid%3D0%26imageid%3D8838734%26mytoken%3D470efb13-ad3b-4f98-b382-5e53e4c94a23,;ord=1187042434
Hidden: file C:\Documents and Settings\Derrick\Local Settings\Temporary Internet Files\Content.IE5\JUE8YKOB\zWwEYAAAAA,,http%3A%2F%2Fviewmorepics.myspace.com%2Findex[1].cfm%3Ffuseaction%3Dviewimage%26friendid%3D162412026%26albumid%3D0%26imageid%3D9826331,;ord=1187042876
Hidden: file C:\Program Files\HP\Photosmart Essential\fermataU.dll
Hidden: file C:\Documents and Settings\Derrick\Local Settings\Temporary Internet Files\Content.IE5\EPQKT2ZM\ion%3Dmail[1].readmessage%26userid%3D30838304%26type%3Dinbox%26messageid%3D391209688%26fed%3Dtrue%26mytoken%3D1bd44d4d-8432-40de-ac2c-3967b8ad8f70,;ord=1186625033
Hidden: file C:\WINDOWS\$NtUninstallKB967715$\shell32.dll
Hidden: file C:\WINDOWS\system32\dllcache\shell32.dll
Hidden: file C:\Documents and Settings\Margo\Favorites\Multiple Sclerosis sites \Unique MS Patient Database Now Widely Available.URL
Hidden: file C:\Documents and Settings\Derrick\Local Settings\Temporary Internet Files\Content.IE5\9GIVF3XS\AAAAAAAAAAAAn.u0YAAAAA,,http%3A%2F%2Fbulletins.myspace.com%2Findex[1].cfm%3Ffuseaction%3Dbulletin%26mytoken%3D94f74954-daa9-471b-bdbe-a6c8c8854a18,;ord=1186725641
Hidden: file C:\Documents and Settings\Derrick\Local Settings\Temporary Internet Files\Content.IE5\JUE8YKOB\AAAAAAAAAAAB3.u0YAAAAA,,http%3A%2F%2Fbulletins.myspace.com%2Findex[1].cfm%3Ffuseaction%3Dbulletin%26mytoken%3D94f74954-daa9-471b-bdbe-a6c8c8854a18,;ord=1186725661
Hidden: file C:\Documents and Settings\Margo\Local Settings\Application Data\{6D5797A7-85E5-427D-8584-116735D95C36}\stamps.exe
Stopped logging on 9/9/2009 at 19:03:49

#15 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:53 PM

Posted 09 September 2009 - 07:05 PM

Please download SmitFraudFix
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users