Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Google Redirect Malware

  • This topic is locked This topic is locked
14 replies to this topic

#1 jeramish


  • Members
  • 7 posts
  • Gender:Male
  • Location:Chicagoland, IL
  • Local time:02:08 AM

Posted 21 February 2010 - 07:18 PM

Hi all,

I seem to have picked up the Google redirect virus through my ignorance of the .Net Assistant's addition into my Firefox extensions and unfortunately was unable to find much in terms of commonly effected files and registry keys to manually clean it. I've now run a gauntlet of programs. Ad-Aware, Malwarebytes, SpyBot S&D, and SAV10 were unable to find the issue, as I've read is common, so I moved onto using Hitman Pro 3.5 which seems to have cleared up the issue. I just wanted some reassurance today, though, so I ran the ComboFix utility provided at this site. It looks like the results were fairly clean, but I'd just like any other opinions on the results from the logfile. Please let me know if you see any red-flags or have any other suggestions on further steps I should take (beyond reformatting) to further ensure that this threat was eliminated. Thanks in advance smile.gif

ComboFix 10-02-21.02 - Jere 02/21/2010 17:30:22.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.615 [GMT -6:00]
Running from: c:\documents and settings\Jere\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

c:\documents and settings\Jere\Application Data\Microsoft\Internet Explorer\Quick Launch\xp-AntiSpy.lnk
c:\program files\INSTALL.LOG

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))

2010-02-21 03:02 . 2010-02-21 03:03 73984 ----a-w- c:\windows\system32\drivers\UlSata_restored.sys
2010-02-21 02:57 . 2010-02-21 03:49 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-02-21 02:56 . 2010-02-21 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-02-21 02:56 . 2010-02-21 02:56 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-02-20 21:12 . 2010-02-20 21:12 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2010-02-21 23:38 . 2005-09-05 09:10 -------- d-----w- c:\program files\Symantec AntiVirus
2010-02-21 04:21 . 2005-10-20 21:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-21 02:47 . 2009-12-30 22:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-21 02:46 . 2010-02-21 02:46 152576 ----a-w- c:\documents and settings\Jere\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-21 02:46 . 2009-12-30 22:20 79488 ----a-w- c:\documents and settings\Jere\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-20 23:10 . 2004-08-19 22:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-20 23:10 . 2009-01-16 00:23 -------- d-----w- c:\documents and settings\Jere\Application Data\SUPERAntiSpyware.com
2010-02-20 23:09 . 2007-07-16 06:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-14 14:49 . 2004-08-20 08:14 86221 ----a-w- c:\windows\War3Unin.dat
2010-02-03 20:57 . 2009-01-15 21:40 -------- d-----w- c:\program files\MWB
2010-02-03 20:55 . 2009-07-20 00:36 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 22:07 . 2009-01-15 20:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2009-01-15 20:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-30 22:14 . 2009-12-30 22:12 -------- d-----w- c:\program files\PS3 Media Server
2009-12-30 22:14 . 2004-08-20 04:43 -------- d-----w- c:\program files\Java
2009-12-30 22:12 . 2005-04-04 23:12 -------- d-----w- c:\documents and settings\Jere\Application Data\Azureus
2009-12-30 22:12 . 2006-10-07 16:20 -------- d-----w- c:\program files\Winamp
2009-12-30 22:11 . 2005-04-04 23:11 -------- d-----w- c:\program files\Azureus BIT TORRENT
2009-12-30 22:04 . 2004-08-26 20:22 79272 ----a-w- c:\documents and settings\Jere\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-30 21:51 . 2009-12-30 21:48 -------- d-----w- c:\program files\Winamp Remote
2009-12-30 21:51 . 2009-12-30 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\OrbNetworks
2009-12-30 21:48 . 2009-12-30 21:48 -------- d-----w- c:\program files\Winamp Detect
2009-12-30 21:38 . 2006-03-24 09:27 -------- d-----w- c:\program files\Windows Media Connect 2
2003-12-18 16:33 . 2005-04-09 16:52 20102 ----a-w- c:\program files\Readme.txt
2003-09-03 12:46 . 2005-04-09 16:52 10960 ----a-w- c:\program files\EULA.txt

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"SoundMan"="SOUNDMAN.EXE" [2006-06-21 577536]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-09-12 160160]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-21 149280]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-02-21 5609280]

c:\documents and settings\Jere\Start Menu\Programs\Startup\
Shortcut to VPTray.lnk - c:\program files\Symantec AntiVirus\VPTray.exe [2005-6-23 85696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0lsdelete



[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jere^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Jere\Start Menu\Programs\Startup\MagicDisc.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-12-22 13:38 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-02-12 18:38 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 21:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-10-07 19:33 13574144 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-10-07 19:33 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-10-07 19:33 1630208 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PtiuPbmd]
2003-01-15 19:41 24576 ----a-w- c:\windows\system32\ptipbm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
2005-06-20 23:53 1056768 ----a-w- c:\program files\VIA\RAID\raid_tool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2004-11-17 15:21 1691648 ----a-w- c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-06-21 10:42 577536 ----a-r- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-21 02:47 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2004-09-15 17:13 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 21:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 02:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"c:\\Games\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Games\\Valve\\Steam\\SteamApps\\jlfreese\\counter-strike source\\hl2.exe"=
"c:\\Games\\Valve\\Steam\\SteamApps\\jlfreese\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Games\\Warcraft III\\Warcraft III.exe"=
"c:\\Games\\Valve\\Steam\\SteamApps\\jlfreese\\half-life 2\\hl2.exe"=
"c:\\Program Files\\Java\\j2re1.4.2_05\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Games\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Games\\Dawn of War\\W40k.exe"=
"c:\\Games\\Dawn of War\\W40kWA.exe"=
"c:\\Program Files\\Azureus BIT TORRENT\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Games\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.2\\cnc3game.dat"=
"c:\\Games\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.3\\cnc3game.dat"=
"c:\\Games\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.4\\cnc3game.dat"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

"6112:TCP"= 6112:TCP:Warcraft III Battle.net
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/18/2005 9:53 PM 685816]
R0 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [7/26/2005 2:03 PM 159616]
R0 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [7/26/2005 2:03 PM 5248]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [8/19/2004 4:07 PM 77312]
S2 DLLReg;Microsoft DLL Registration Component;"c:\windows\regsvr32.exe" --> c:\windows\regsvr32.exe [?]
S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\Jere\LOCALS~1\Temp\cdrmkaun.sys --> c:\docume~1\Jere\LOCALS~1\Temp\cdrmkaun.sys [?]
S3 npkycryp;npkycryp;\??\c:\games\Ragnarok Online\npkycryp.sys --> c:\games\Ragnarok Online\npkycryp.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 6:27 PM 124608]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrvI9
Contents of the 'Scheduled Tasks' folder

2009-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-28 c:\windows\Tasks\RoxioUpdator.job
- c:\program files\Common Files\Roxio Shared\Autoupdater\autoupdater.exe [2004-11-17 15:13]
------- Supplementary Scan -------
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
FF - ProfilePath - c:\documents and settings\Jere\Application Data\Mozilla\Firefox\Profiles\qgs0x7a7.Jere\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Logitech Hardware Abstraction Layer - KHALMNPR.EXE
MSConfigStartUp-MtdAcq - c:\program files\Creative\Shared Files\Media Sniffer\MtdAcq.exe
MSConfigStartUp-NeroFilterCheck - c:\windows\system32\NeroCheck.exe
MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe
AddRemove-AIM_6 - c:\program files\AIM6\uninst.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 17:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-583907252-1960408961-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3860)
c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\Shellex.dll
------------------------ Other Running Processes ------------------------
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
Completion time: 2010-02-21 17:46:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-21 23:46

Pre-Run: 47,758,475,264 bytes free
Post-Run: 47,568,261,120 bytes free

[boot loader]
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /usepmtimer

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 90CA55D6A659712BE6FBC71547721247

Attached File  ComboFix.txt   19.28KB   8 downloads

BC AdBot (Login to Remove)


#2 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:08:08 AM

Posted 23 February 2010 - 08:52 PM


Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 jeramish

  • Topic Starter

  • Members
  • 7 posts
  • Gender:Male
  • Location:Chicagoland, IL
  • Local time:02:08 AM

Posted 23 February 2010 - 09:16 PM

Hi m0le, thanks for assisting me... I will probably not have time to check the forum again tonight, but will be able to do so after work tomorrow at 5pm CST . thumbup.gif

#4 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:08:08 AM

Posted 26 February 2010 - 07:23 PM

Are you still there jeramish?
Posted Image
m0le is a proud member of UNITE

#5 jeramish

  • Topic Starter

  • Members
  • 7 posts
  • Gender:Male
  • Location:Chicagoland, IL
  • Local time:02:08 AM

Posted 26 February 2010 - 08:09 PM

Yep, but I'm currently replying via my Droid, not @ home... I'll try to start with your first set of instructions when I'm able to get in front of the pc, though.

#6 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:08:08 AM

Posted 26 February 2010 - 09:53 PM

No problem. smile.gif

I'll bump the topic in 5 days just to make sure you're still there.
Posted Image
m0le is a proud member of UNITE

#7 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:08:08 AM

Posted 03 March 2010 - 08:26 PM

Hey Jeramish, are you still with me?
Posted Image
m0le is a proud member of UNITE

#8 jeramish

  • Topic Starter

  • Members
  • 7 posts
  • Gender:Male
  • Location:Chicagoland, IL
  • Local time:02:08 AM

Posted 03 March 2010 - 08:44 PM


#9 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:08:08 AM

Posted 03 March 2010 - 08:48 PM


I'll bump the topic in another 5 days unless you get back behind a PC. thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#10 jeramish

  • Topic Starter

  • Members
  • 7 posts
  • Gender:Male
  • Location:Chicagoland, IL
  • Local time:02:08 AM

Posted 03 March 2010 - 08:53 PM

Oh I'm actually at home and can get on the pc now iff you'd like.

#11 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:08:08 AM

Posted 03 March 2010 - 09:04 PM

You can, but I'm off for some sleep - it's gone 2am in the UK.

Combofix's log looks good (though you should not be running it yourself without support)

Can you scan for other nasties with MBAM and then the ESET online scanner.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#12 jeramish

  • Topic Starter

  • Members
  • 7 posts
  • Gender:Male
  • Location:Chicagoland, IL
  • Local time:02:08 AM

Posted 03 March 2010 - 09:35 PM

Sounds good, will do. I was actually reading up on a variety of other posts from this forum regarding this issue and followed the general format to tackle the problem, but due to my unfamiliarity with the related processes associated with the trojan decided that having and experienced set of eyes would definitely be helpful before tabling the problem. As an engineer I admittedly got ahead of myself thinking that I could go in and take care of it myself, but we all need a little help smile.gif especially as you guys specialize in malware ... Obviously the best solution is reformatting, but due to time constraints that is going to have to wait for a few months. Although I have read ppl reporting the malware resurfacing immediately after formatting.. is this true for a full format, or is it more likely that they did not preform a full scrub and just used a pc manufacturer recovery disk?

My fiancee was using the computer prior to me discovering the issue, so I was also wondering if there are some known common websites/programs which are spreading the malware? Upon attempting to do some investigating I didn't notice any new programs and she says she didn't install anything. Its most likely my fault for not addressing Microsoft's .net framework assistant in Firefox earlier, though.

Sorry for the novella, thanks for the help and have a good night!

Edited by jeramish, 04 March 2010 - 12:56 AM.

#13 jeramish

  • Topic Starter

  • Members
  • 7 posts
  • Gender:Male
  • Location:Chicagoland, IL
  • Local time:02:08 AM

Posted 04 March 2010 - 12:55 AM

Malwarebytes came up clear... just finished the ESET complete scan w/ archives as instructed and it came up with 0 threats as well, so I wasn't given the option to export a log.

Malwarebytes' Anti-Malware 1.44
Database version: 3823
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/3/2010 10:18:58 PM
mbam-log-2010-03-03 (22-18-58).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 362324
Time elapsed: 1 hour(s), 12 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#14 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:08:08 AM

Posted 04 March 2010 - 07:40 AM

I have read ppl reporting the malware resurfacing immediately after formatting.. is this true for a full format, or is it more likely that they did not preform a full scrub and just used a pc manufacturer recovery disk?

It could be. Reformatting isn't something that is often carried out and it is possible that they are reinstalling or running the repair disk. It is also possible that they were hit with the new MBR rootkit. MBR doesn't get overwritten after a reformat/reinstall which makes it the first rootkit that won't get removed on the fail-safe, reformat/reinstall.

I was also wondering if there are some known common websites/programs which are spreading the malware?

Certainly Facebook has been hit recently. The main way a site can attack you is if it is a legit site which has been hacked.

Anyway, I'm happy with the PC so we can go to the final important instruction.

Your log is clean. Good stuff! thumbup2.gif

Let's firstly do some housekeeping

Uninstall ComboFix

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Here's a list of ways you can avoid problems in the future:

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

That's it jeramish, happy surfing!



Posted Image
m0le is a proud member of UNITE

#15 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:08:08 AM

Posted 08 March 2010 - 08:17 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users