Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google moved 302 virus and other issues


  • This topic is locked This topic is locked
44 replies to this topic

#1 bdeline

bdeline

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 11 April 2010 - 02:00 PM

Hello,
I am having issues with my wife's computer (using windows XP). There appears to be a virus on the computer that redirects google searches to a page that says "302 moved". The virus has also prevented me from running Malwarebytes and even prevents from installing the program when I rename the install files.
Any help would be appreciated.

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:09 AM

Posted 14 April 2010 - 01:41 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 bdeline

bdeline
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 14 April 2010 - 02:35 PM

Thanks for the post, any advice is appreciated.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:09 AM

Posted 14 April 2010 - 02:41 PM

There is a rootkit (and there may be second)

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.

Then

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 bdeline

bdeline
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 14 April 2010 - 08:28 PM

Thanks,
Ok, here are rkill and combofix log files

Attached Files

  • Attached File  log.txt   24.69KB   7 downloads
  • Attached File  rkill.log   386bytes   3 downloads


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:09 AM

Posted 15 April 2010 - 04:09 AM

The Combofix log is a bit of a jumble.

Please go to Start >Run > and copy/paste the following, then press Enter

C:\QooBox\ComboFix-quarantined-files.txt

A log file should open. Please post that in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 bdeline

bdeline
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 15 April 2010 - 06:41 AM

Here is a better log file.
And the quarantine file as well.

Attached File  ComboFix_quarantined_files.txt   15.44KB   2 downloads
Attached File  log.txt   25.07KB   5 downloads

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:09 AM

Posted 15 April 2010 - 08:20 AM

That's better thumbup2.gif

Please rerun Combofix with these instructions

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
http://www.bleepingcomputer.com/forums/top...ml#entry1716218

Collect::
c:\windows\system32\loyuvejo.dll
c:\windows\system32\tizuluke.exe
c:\windows\system32\zawomebe.exe

Folder::
c:\documents and settings\All Users\Application Data\SGWLBFCKYSD
c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 bdeline

bdeline
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 15 April 2010 - 09:48 AM

Thanks,
Ok here's the new log.
Attached File  log.txt   21.56KB   3 downloads

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:09 AM

Posted 15 April 2010 - 03:55 PM

Nice. thumbup.gif

Please run an online scan with ESET for checking for infected files and other remnants

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found there will be no option to export the text file as no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#11 bdeline

bdeline
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 16 April 2010 - 05:34 AM

Here are the results of the ESET scan.

Attached Files


Edited by bdeline, 16 April 2010 - 05:35 AM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:09 AM

Posted 16 April 2010 - 05:42 AM

That looks good, there are a number of things on the log which still need to be removed.

I notice a Deckard System Scanner entry. If you still have this program then please remove it - the program was compromised by malware a while ago and is not safe.

Please now clear out the temp files/cookies/cache

Please download ATF Cleaner by Atribune.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main "Select Files to Delete" choose: Select All.
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

This could also be Clear Recent History or similar

Then close Firefox and then reopen it.


Then

To Clear the Java Runtime Environment (JRE) cache, do this:
  • Click Start > Settings > Control Panel.
  • Double-click the Java icon.
    -The Java Control Panel appears.
  • Click "Settings" under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
  • Click "Delete Files".
    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
    • Delete Files
    • View Applications
    • View Applets
  • Click "OK" on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click "OK" on Temporary Files Settings window.
  • Close the Java Control Panel.
You can also view these instructions along with screenshots here.

Then let me know how the PC is working
Posted Image
m0le is a proud member of UNITE

#13 bdeline

bdeline
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 16 April 2010 - 07:21 AM

When I try to bring a page up on Firefox I still get - 302 Moved
The document has moved here.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:09 AM

Posted 16 April 2010 - 12:08 PM

Let's reset the hosts file to stop the hijack.

Please download HostsXpert 4.3
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make Read Only".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Now try Firefox again.
Posted Image
m0le is a proud member of UNITE

#15 bdeline

bdeline
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 16 April 2010 - 02:53 PM

I followed the instructions for the HostsXpert, but I am still having the same problems with the "302 moved" and redirections.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users