Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Malware/virus on every Browser


  • This topic is locked This topic is locked
44 replies to this topic

#1 JackieJiv

JackieJiv

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Phoenix, Az
  • Local time:08:28 AM

Posted 16 April 2010 - 12:22 PM

Hi I am a new computer user and I have a dell dimension 9100 with windows XP. Recently I met a person on a social site and began chatting with them on Yahoo!. They gave me a link to check out their web site only to have malware put on my computer. Now, as you all probably know this, no matter what browser I download and use the issue still persist with any search engine, a redirection to a sales site of some sort. I have already tried 5 AV's and a system restore. I also read on another topic on here about combofix and I am not sure If I did something wrong when I tried combofix. But the issue is still present. It is very aggravating because i have been trying to fix this issue since the moment I got it which was 3 or 4 days ago. Please HELP- Thank you-


I do have the combofix log: I tried to stop Panda antivirus that combofix said wasstill running, however it wasn't present on my desk top or even in the add/remove programs menu to delete! I have created another topic for that issue as well ........

Edited by JackieJiv, 16 April 2010 - 12:34 PM.

~Jackie J. IV

BC AdBot (Login to Remove)

 


#2 JackieJiv

JackieJiv
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Phoenix, Az
  • Local time:08:28 AM

Posted 16 April 2010 - 12:29 PM

When I go to my add/remove programs menu I am unable to delete a couple of programs. Ask tool bar and Opera 10.51 browser......"the feature you are trying to use is on a network resource that is unavailable" Error msg when attempted to remove the program. When i try to browse for the correct path with a folder containing the installation package per program, I am absolutely clueless as to where to look. Please HELP- ty

Edited by elise025, 16 April 2010 - 01:23 PM.
Since no logs are posted, I am moving this topic to the Am I Infected forum ~ Elise

~Jackie J. IV

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:28 PM

Posted 16 April 2010 - 01:25 PM

Hello, lets first do a rootkit scan here.

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 JackieJiv

JackieJiv
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Phoenix, Az
  • Local time:08:28 AM

Posted 16 April 2010 - 04:41 PM

Geez how long does this scan take? It's been about 30 mins already. Is that normal? Just curious.
~Jackie J. IV

#5 JackieJiv

JackieJiv
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Phoenix, Az
  • Local time:08:28 AM

Posted 16 April 2010 - 07:21 PM

Ok here is the report: Before I noticed that you replied I actually figured out how to delete Panda and started combofix again. Seemed to repair the redirect issue. I went ahead and re-added Panda and eliminated all the other AV's. TY for your help- I still wnt to know your advice and further instructions for improvement as well as a solution for the add/delete programs issue I am having.



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-15 17:05:26
Windows 5.1.2600 Service Pack 3
Running: GMER.exe; Driver: C:\DOCUME~1\Joe\LOCALS~1\Temp\kxldypoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF777B360, 0x32DEFD, 0xE8000020]
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF87DA760]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Udfs \UdfsCdRom CLBUDF.SYS (UDF File System Driver (Windows2000)/CyberLink Corporation.)
Device \FileSystem\Udfs \UdfsDisk CLBUDF.SYS (UDF File System Driver (Windows2000)/CyberLink Corporation.)
Device \FileSystem\Cdfs \Cdfs CLBUDF.SYS (UDF File System Driver (Windows2000)/CyberLink Corporation.)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{35BEE761-3228-53EA-EC0F-A3E71CE6B458}

---- EOF - GMER 1.0.15 ----

~Jackie J. IV

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:28 PM

Posted 17 April 2010 - 02:04 AM

Hello again,
At least that looks clean.

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 JackieJiv

JackieJiv
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Phoenix, Az
  • Local time:08:28 AM

Posted 17 April 2010 - 08:48 AM

Ok here is the report-

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4000

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/16/2010 6:38:32 AM
mbam-log-2010-04-16 (06-38-32).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 181509
Time elapsed: 1 hour(s), 13 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

~Jackie J. IV

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:28 PM

Posted 17 April 2010 - 09:38 AM

Can you please let me know at this point, what exactly your problems are (redirects, popups, fake warnings, and so on).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 JackieJiv

JackieJiv
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Phoenix, Az
  • Local time:08:28 AM

Posted 17 April 2010 - 12:13 PM

Okay- the redirect issue seems to have been fixed a few replies ago. Panda Cloud AV keeps detecting and neutralizing trojan's and detecting cookies as well as some suspicious files. Don't know why mbam didn't detect. While MBAM was scanning, I thought I had turned Panda AV off and during the scan a pop up came up saying that Panda AV neutralized a virus, which was a Trojan/CI.A. So after the scan I turned Panda AV off as well as my windows defender of course. I re-ran the MBAM scan and still no detection. I ran the scan a 3rd time just to make sure and still clear. The issue that I have on top of all this is that I cannot delete two programs from my add/delete programs menu. They are the AskToolBar and Opera10.51 - I get a "windows installer" error message as mentioned in my other topic posted above. I am currently using Opera 10.51, but it is in the add/remove programs twice. The one that I am unable to delete has 28.23 mb and the one that I am able to use and delete if desired is only 12.92 mb. I've tried uninstalling and re-installing to see if that would merge the new installation with the old and it didn't work. That's how I was able to remove panda cloud av and replace it when it was giving me the same issue, bu tits not in there twice. That solution, however did not work with the other two programs. I don't know what I am doing wrong or if it is the Trojan that Panda keeps having to neutralize and quarantine.

Edited by JackieJiv, 17 April 2010 - 03:07 PM.

~Jackie J. IV

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:28 PM

Posted 17 April 2010 - 01:08 PM

It would be helpful if you could let me know what trojan Panda is detecting and where it is located (thre should be a log kept in which you can find this information).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 JackieJiv

JackieJiv
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Phoenix, Az
  • Local time:08:28 AM

Posted 17 April 2010 - 03:05 PM

Ok - . Panda is detecting:

Trojan/CI.A
Location:
C:system volume information\_restore{2591DCDE-2C9B-475D-BF48-A2E77A8C56DA}\RP107\A0022784.exe
Status: Neutralized

Suspicious file
Location:
C:system volume information\_restore{2591DCDE-2C9B-475D-BF48-A2E77A8C56DA}\RP1\A0000009.exe
Status: Blocked due to possible infection and currently being analyzed by the Panda Laboratory
~Jackie J. IV

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:28 PM

Posted 17 April 2010 - 03:17 PM

Hi again,
These Panda warnings are only for detections in System Restore. This means nothing is active.
  • Please download Dial-A-Fix from one of the following mirrors:
  • Extract the zip file to your desktop.
  • Double click Dial-a-Fix.exe to start the program. Note - you might see an error message regarding Internet Explorer. Just ignore this and continue.
  • Place a checkmark in front of "fix windows installer"
  • Click on go
  • Exit/Close Dial-A-Fix
See if you can uninstall Ask Toolbar and Opera afterwards.

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  12. Push the button.
  13. Push

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 JackieJiv

JackieJiv
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Phoenix, Az
  • Local time:08:28 AM

Posted 17 April 2010 - 03:50 PM

Ok - scanning. Is it ok to use my computer while this is scanning and the dial a fix is working?

Edited by JackieJiv, 17 April 2010 - 03:51 PM.

~Jackie J. IV

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:28 PM

Posted 17 April 2010 - 03:52 PM

dial a fix should be really fast.

You can use your computer while doing the ESET scan, but it might be slightly slower.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 JackieJiv

JackieJiv
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Phoenix, Az
  • Local time:08:28 AM

Posted 17 April 2010 - 04:11 PM

Ok I still cannot remove those programs. ESET is Still scanning.
~Jackie J. IV




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users