Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect problem


  • This topic is locked This topic is locked
15 replies to this topic

#1 Yomero

Yomero

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 13 October 2009 - 01:45 PM

For some days now i've noticed that sometimes my google search results takes me to some place else... tooseeka and others sites not related to the actual search result link, i've tried Ad-Aware Manti-Maleware, Superantispyware, some trend micro tools and no luck.

I also run AVG free.

Any ideas pleas? I'd really appreciate it

Heres the DDS log :

DDS (Ver_09-10-13.01) - NTFSx86
Run by Cesar Gonzalez at 13:18:57.15 on Tue 10/13/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.250 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Downloads\putty.exe
C:\Program Files\Fonality\HUD\HUD.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [RaidTool] c:\program files\via\raid\raid_tool.exe
mRun: [pdfFactory Pro Dispatcher v3] "c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe" /source=HKLM
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {6C713E31-4170-4E48-901E-96A41673682C} = 207.193.205.1,207.193.250.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cesarg~1\applic~1\mozilla\firefox\profiles\fyqgt2de.default\
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: XULRunner: {93FE3ED3-C896-48E1-A16E-D397B2BCB790} - c:\documents and settings\cesar gonzalez\local settings\application data\{93FE3ED3-C896-48E1-A16E-D397B2BCB790}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-8 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-22 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-22 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-5-22 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-22 297752]
S2 gupdate1c9f064eb05bd2c;Google Update Service (gupdate1c9f064eb05bd2c);c:\program files\google\update\GoogleUpdate.exe [2009-6-18 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
S2 Protector;Protector;c:\program files\tenebril\spycatcher\ProtectorSvc.exe [2008-7-8 3020608]
S3 CMC AntiRootkit Service;CMC AntiRootkit Servic;c:\windows\system32\drivers\cmcantirootkit.sys --> c:\windows\system32\drivers\cmcantirootkit.sys [?]
S3 MIP;MIP.Sys MIP test driver;c:\windows\system32\drivers\MIP.sys [2009-8-17 86870]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]

=============== Created Last 30 ================

2009-10-09 11:24 <DIR> --d----- C:\Backup
2009-10-08 18:24 <DIR> --d----- c:\windows\system32\SpycatcherAgentSetupTemp
2009-10-08 18:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Tenebril
2009-10-08 18:23 <DIR> --d----- c:\program files\Tenebril
2009-10-08 18:22 <DIR> --d----- c:\windows\Downloaded Installations
2009-10-08 18:09 15,688 a------- c:\windows\system32\lsdelete.exe
2009-10-08 17:47 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-10-08 17:43 <DIR> --d----- c:\program files\Lavasoft
2009-10-08 17:28 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-10-06 10:15 229,888 a------- c:\windows\PEV.exe
2009-10-06 10:15 161,792 a------- c:\windows\SWREG.exe
2009-10-06 10:15 98,816 a------- c:\windows\sed.exe
2009-10-05 18:21 160,272 a------- c:\windows\system32\drivers\tmcomm.sys
2009-10-05 10:18 <DIR> --dsh--- c:\documents and settings\cesar gonzalez\IETldCache
2009-10-05 10:02 100,352 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-10-05 10:02 <DIR> --d----- c:\windows\ie8updates
2009-10-05 10:02 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-10-05 10:02 594,432 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-10-05 10:02 55,296 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-05 10:02 11,067,392 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-10-05 10:02 1,985,536 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-10-05 10:02 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-10-05 10:00 <DIR> -cd-h--- c:\windows\ie8
2009-10-05 09:41 <DIR> --d----- c:\windows\system32\XPSViewer
2009-10-05 09:39 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-05 09:39 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-05 09:39 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-05 09:39 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-10-05 09:39 117,760 -------- c:\windows\system32\prntvpt.dll
2009-10-05 09:39 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-10-05 09:39 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-10-05 09:39 <DIR> --d----- C:\af55d35a4562c4bd2004c59dbffa5e1c
2009-10-05 09:30 221,184 a------- c:\windows\system32\wmpns.dll
2009-10-02 17:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-10-02 17:08 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-10-02 17:08 <DIR> --d----- c:\docume~1\cesarg~1\applic~1\SUPERAntiSpyware.com
2009-10-02 17:08 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-10-02 13:02 <DIR> --d----- c:\docume~1\cesarg~1\applic~1\Malwarebytes
2009-10-02 13:02 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-02 13:02 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-02 13:02 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-02 13:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-01 13:28 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-10-01 13:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-09-29 12:03 120 a------- c:\windows\Udefuwejat.dat
2009-09-29 12:03 0 a------- c:\windows\Fnedeyiqamabim.bin
2009-09-24 18:58 15,714 a------- C:\CSElogoVmail2.jpg
2009-09-24 17:53 24,921 a------- C:\CSElogoVmail.png
2009-09-21 11:08 <DIR> --d----- c:\program files\XML Notepad 2007
2009-09-21 07:57 11,560 a------- C:\ip600.bmp

==================== Find3M ====================

2009-08-23 09:15 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-23 09:15 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-28 23:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-28 23:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll

============= FINISH: 13:19:58.22 ===============


Thanks

Attached Files



BC AdBot (Login to Remove)

 


#2 Yomero

Yomero
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 15 October 2009 - 10:52 AM

Anyone please?? :(

#3 Yomero

Yomero
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 15 October 2009 - 01:02 PM

Well, i used GooredFix by jpshortstuff (24.09.09.1) http://jpshortstuff.247fixes.com/GooredFix.exe and the redirect have seem to stop.

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 23 October 2009 - 09:50 PM.


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:06 PM

Posted 27 October 2009 - 01:57 PM

Hello,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt
Thanks

unite.jpg


#5 Yomero

Yomero
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 27 October 2009 - 02:15 PM

Hi syler, first of all thanks for your reply, as i posted, i used GooredFix by jpshortstuff and so far the redirects have stop, i accidently run it twice so the log that the first run was overritten so i have no clue of what it did.

Do you think its safe to asume that im in the clear? or should i go ahead and run RSIT and post the logs so you can take look at them?

thanx again.

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:06 PM

Posted 27 October 2009 - 02:40 PM

Hello Yomero,

If you are having no more issues and your computer is running ok then I can close this topic. If you want me to have a look anyway, go ahead
and post the logs, just let me know what you want me to do.

Syler

unite.jpg


#7 Yomero

Yomero
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 27 October 2009 - 03:02 PM

Syler, im attaching both files info.txt and log.txt so you can take a look at them.

thanx

Attached Files

  • Attached File  info.txt   18.08KB   4 downloads
  • Attached File  log.txt   29.44KB   3 downloads


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:06 PM

Posted 27 October 2009 - 03:16 PM

I see that you have been running combofix.

ComboFix should not be run unless requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Post the contents of C:\ComboFix.txt in your next reply.

unite.jpg


#9 Yomero

Yomero
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 27 October 2009 - 05:24 PM

i understand combofix disclaimer, but i was kindda desperate, im attaching the actual combofix.txt that was created the LAST time a ran combofix, that was like a week ago, and before i used GooredFix, or do you need a new run ?

thanks

Attached Files



#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:06 PM

Posted 27 October 2009 - 05:32 PM

Yomero,

I understand you may have been desperate, but you would have been even more desperate if combofix had stopped your machine from booting.
I don't need a new log I just need to see what combofix has done, and if there is anything in the log that needs dealing with.

Please give me some time to look at your logs and I will get back to you.

Syler

unite.jpg


#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:06 PM

Posted 27 October 2009 - 06:09 PM

Uninstall ComboFix
  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
Posted Image



Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.


We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Services
    alpn4lci
    CMC AntiRootkit Service
    :Reg
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "SNM"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cjevaradewilul]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpyCatcher.lnk]
    :Files
    c:\windows\Udefuwejat.dat
    c:\windows\Fnedeyiqamabim.bin
    :Commands
    [EmptyTemp]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


You Have outdated versions of Adobe Reader and Java, having these outdated programs causes you a security risk so you need to uninstall them.

Go to Add or Remove programs and uninstall these programs:

Java™ 6 Update 13
Adobe Reader 7.0.9


Then download and install the latest versions.

Java 6 update 16
Adobe Reader 9.2



Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please post back here with the following logs:
  • OTM results
  • Kaspersky results
  • New Rsit log
Thanks

unite.jpg


#12 Yomero

Yomero
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 28 October 2009 - 05:55 PM

Syler, acording to your instructions, this is what i did :

a) Unistalled Combofix
:( installed and ran ERUNT
c) Executed the OTM script and attaching the result
d) Removed Java™ 6 Update 13 Adobe Reader 7.0.9
e) Intalled new latest versions of Java and Adobe Reader
f) Ran Kaspersky Online Scanner and attaching results
g) Ran again Rsit and attaching the new log

Thankx

Attached Files



#13 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:06 PM

Posted 28 October 2009 - 07:09 PM

Yomero,

You did all the steps spot on :(

The Kaspersky report shows that you have a couple of infected email in outlook, I can't tell you specifically which ones, so you would need to go through
your outlook express folders and do a clean up of any emails with attachments, although they will not harm you if they remain unopened.

You can go to the following folder and delete it manually as it contains an infection.

C:\Recovery\Anna\ANNA\Local Settings\Temporary Internet Files\Content.IE5


Apart from those your logs look fine now, please let me know if you are having any problems otherwise we can wrap this up.

Cheers

unite.jpg


#14 Yomero

Yomero
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 29 October 2009 - 05:02 PM

Syler, i no longer use outlook ( switched to thiunderbird ), so i'll just go ahead and dump the whole pst and delete the other infection.

thanks for all your help!

:(

#15 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:06 PM

Posted 29 October 2009 - 05:52 PM

You're very welcome Yomero :(


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
Congratulations! You now appear clean! :(

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Keeping Windows updated
It is extremley important to keep windows upto date with the latest service pack and patches. This will prevent you
from getting the malware which uses vulnerabilities found in windows to exploit your computer. The easiest way to
do this this is by making sure that Automatic Updates are always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not
update your antivirus software then it will not be able to catch any of the new variants that may come out. If you
use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your
subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly
patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install a Firewall
I can not stress how important it is that you use a third party Firewall on your computer. Without a firewall your computer is
succeptible to being hacked and taken over. Windows firewall is good for blocking inbound connections but it does not block
outbound connections. So if Malware manages to get onto your computer it will be able to send data out when it wants.
Here are some free firewalls I would recomend, only install one of these.

Zone Alarm
comodo..........Note: Only Install the Firewall as a standalone if you already have an AntiVirus installed on your computer.

After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall
and choose Off (not recommended) option. Then please click Apply and Ok.

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Use MVPS hosts file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions below.

http://www.mvps.org/winhelp2002/hosts.htm

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Happy surfing :)
Syler

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users