Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clicking on links are redirecting me


  • Please log in to reply
8 replies to this topic

#1 yummytyson

yummytyson

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 27 November 2009 - 11:43 AM

Hello. When I google something and click a link, it redirects me to another site and sometimes a site that tells me I have malware blah blah blah install this. It first started yesterday when I was playing games and I heard audio coming out of my speakers like I was streaming a video but I had closed everything, so I just restarted and that fixed the problem. When I click the links it redirects me to another search engine or to some security website telling me that my computer is infected. The "Security Tools" program has also popped up on my computer but I was able to remove it. I am using Firefox on Windows XP, tried using Spyware Doctor, Malwarebytes, RemoveIT Pro

Edited by yummytyson, 27 November 2009 - 11:43 AM.


BC AdBot (Login to Remove)

 


#2 Jove

Jove

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:06:38 AM

Posted 27 November 2009 - 07:25 PM

I am not a staff member, but the person who answered this post is, . .
It may give you some insight concerning the, "redirect problem"

It was not solved, but makes informative reading, may tell you what will not work ?

http://www.theeldergeek.com/forum/index.php?showtopic=39177

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:38 AM

Posted 27 November 2009 - 08:15 PM

Hello ,please post the Malwarebytes log.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 yummytyson

yummytyson
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 28 November 2009 - 04:05 AM

Here are the logs from MalwareBytes. I scanned 3 times so here are the 3 logs that I have.

1.

Malwarebytes' Anti-Malware 1.41
Database version: 3238
Windows 5.1.2600 Service Pack 2

11/26/2009 12:06:00 PM
mbam-log-2009-11-26 (12-06-00).txt

Scan type: Quick Scan
Objects scanned: 5286
Time elapsed: 1 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


2.

Malwarebytes' Anti-Malware 1.41
Database version: 3240
Windows 5.1.2600 Service Pack 2

11/26/2009 10:05:11 PM
mbam-log-2009-11-26 (22-05-11).txt

Scan type: Quick Scan
Objects scanned: 125504
Time elapsed: 12 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\autocomplete.cautocomplete (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{2b0378e2-af97-413b-bde9-043094121de3} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9677d5d8-b782-4800-bc73-16a59fc8d5b7} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9452efd9-fe71-4678-a595-4751f4224c5d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9452efd9-fe71-4678-a595-4751f4224c5d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9452efd9-fe71-4678-a595-4751f4224c5d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\autocomplete.cautocomplete.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{2b0378e2-af97-413b-bde9-043094121de3} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\AutoComplete.dll (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RList (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\MyID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\61128523 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\AutoComplete.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tyson\Application Data\install.config.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TMP8D.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\_ex-08.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ovqh.tmp\svchost.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tyson\Local Settings\Temporary Internet Files\Content.IE5\L02T92N7\xlscheck332[1].exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tyson\Local Settings\Temporary Internet Files\Content.IE5\L7RJ5TOE\install.config[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\61128523\61128523.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tyson\Local Settings\Temp\hi.bat (Malware.Trace) -> Quarantined and deleted successfully.


3.

Malwarebytes' Anti-Malware 1.41
Database version: 3240
Windows 5.1.2600 Service Pack 2

11/27/2009 10:08:15 AM
mbam-log-2009-11-27 (10-08-15).txt

Scan type: Quick Scan
Objects scanned: 112003
Time elapsed: 6 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



I will try the ATF Cleaner and Super anti spyware right now.

#5 yummytyson

yummytyson
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 28 November 2009 - 10:14 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/28/2009 at 04:32 AM

Application Version : 4.31.1000

Core Rules Database Version : 4316
Trace Rules Database Version: 2177

Scan type : Complete Scan
Total Scan Time : 03:16:38

Memory items scanned : 217
Memory threats detected : 0
Registry items scanned : 5700
Registry threats detected : 0
File items scanned : 76425
File threats detected : 13

Adware.Tracking Cookie
.insightexpressai.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ckdq7dr6.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ckdq7dr6.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ckdq7dr6.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ckdq7dr6.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ckdq7dr6.default\cookies.txt ]
.kontera.com [ C:\Documents and Settings\Tyson\Application Data\Mozilla\Firefox\Profiles\ashkcj0l.default\cookies.txt ]
.kontera.com [ C:\Documents and Settings\Tyson\Application Data\Mozilla\Firefox\Profiles\ashkcj0l.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Tyson\Application Data\Mozilla\Firefox\Profiles\ashkcj0l.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Tyson\Application Data\Mozilla\Firefox\Profiles\ashkcj0l.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Tyson\Application Data\Mozilla\Firefox\Profiles\ashkcj0l.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Tyson\Application Data\Mozilla\Firefox\Profiles\ashkcj0l.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Tyson\Application Data\Mozilla\Firefox\Profiles\ashkcj0l.default\cookies.txt ]

Rootkit.Agent/Gen-DNSHack
C:\DOCUMENTS AND SETTINGS\TYSON\DESKTOP\GAMES\WC3\CYPHEALTH.EXE

#6 yummytyson

yummytyson
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 28 November 2009 - 11:28 AM

Clicking links are still redirecting me, and it's not to just one site if that is helpful =/ but the link that i do see most often is "directdr.com" i believe.

The rootkit that super anti spyware found is actually a program that my friend created and all it does is press 1 and F1 simultaneously, so i'm not sure why that popped up as a rootkit, i've been using it for probably over a year now.

Edited by yummytyson, 28 November 2009 - 11:28 AM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:38 AM

Posted 28 November 2009 - 03:50 PM

Hello. The SAS file just exhibits behavior to that of a rootkit. Malware tools cannot always distinguish a good guy from a bad,but will report it. You can have the tools ignore it nextime by unchecking and/or adding it to the trusted zone.

The TTDS rootkit found can and will steal,passwords,financial numbers etc..

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 yummytyson

yummytyson
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 29 November 2009 - 12:22 AM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/28 21:11
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB0F57000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\tyson\application data\skype\yumyumteeson\etilqs_krgzwbrd0fbmb2pm00vg
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\tyson\application data\skype\yumyumteeson\etilqs_rqrm4xmabxohjbimbsn0
Status: Allocation size mismatch (API: 4096, Raw: 0)

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb26616b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf7445e22

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf7426cdc

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf7426ece

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf7446610

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf74468c4

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb266114c

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf7444b14

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb266108c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb26610f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb266176e

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf7446d30

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb266172e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf74460e2

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xb27450b0

==EOF==

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:38 AM

Posted 29 November 2009 - 09:23 PM

Hello ,do you still have redirects?
Please rerun Rootrepeal.n step 6 select ONLY files.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Post back 2 logs.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users