Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

search engine links redirect hijacked too


  • This topic is locked This topic is locked
17 replies to this topic

#1 jigaman

jigaman

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 18 April 2010 - 03:18 PM

Hi there, I run windows vista and I have nod32 installed with spybot search and restore too.

Just yesterday I noticed that when I make a search on google using firefox 3.5.9 I find that the links in the search result take me to different websites other than the search result links. Sometimes to a page that asks me to scan my system, and I just close it.

At the same time my antivirus alert notifies me that it has blocked some ips and after doing a system restore or after using malwarebytes, not sure, but I think the redirect problem is gone, however I still get the notice that about the blocked ips


15:08:18 IP-BLOCK 91.212.226.130
15:08:26 IP-BLOCK 91.212.226.130
15:08:42 IP-BLOCK 91.212.226.179
15:08:42 IP-BLOCK 91.212.226.179
15:08:50 IP-BLOCK 91.212.226.179
15:09:07 IP-BLOCK 91.212.226.178
15:09:07 IP-BLOCK 91.212.226.178
20:39:03 IP-BLOCK 94.228.209.200
20:47:36 IP-BLOCK 88.214.226.32

After using malwarebytes as well, the only thing it found that I cleaned was malware.trace in local/temp/hi.bat

I've also done a system restore in hope it will go away but no change.

Thanks in advance.

Also In anticipation I've done step 6-8 as suggested in a similar post, although gmer didn't run, even when i tried it in safemode it freezes or just crashes the system

Edited by jigaman, 19 April 2010 - 02:56 AM.


BC AdBot (Login to Remove)

 


#2 jigaman

jigaman
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 19 April 2010 - 02:59 AM

sorry bump please

#3 jigaman

jigaman
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 21 April 2010 - 02:23 PM

Hi there, now I got an alert from malwarebyte that ave.exe wanted to start on the system.I had this before and did a system restore it went away , maybe they are all linked:( and it never really went.

would appreciate any help

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:34 AM

Posted 23 April 2010 - 04:49 PM

Please run a quick scan with Malwarebytes and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 jigaman

jigaman
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 23 April 2010 - 05:25 PM

Thank you

Please run a quick scan with Malwarebytes and post the log.



Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4004

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18702

18/04/2010 16:05:27
mbam-log-2010-04-18 (16-05-27).txt

Scan type: Quick scan
Objects scanned: 122694
Time elapsed: 29 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Preli\AppData\Local\Temp\hi.bat (Malware.Trace) -> Quarantined and deleted successfully.

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:34 AM

Posted 23 April 2010 - 06:12 PM

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply (you can edit out all the cookies if you like).
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 jigaman

jigaman
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 23 April 2010 - 09:15 PM

Here you go please

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/24/2010 at 02:57 AM

Application Version : 4.35.1002

Core Rules Database Version : 4846
Trace Rules Database Version: 2658

Scan type : Complete Scan
Total Scan Time : 01:28:07

Memory items scanned : 290
Memory threats detected : 0
Registry items scanned : 9865
Registry threats detected : 50
File items scanned : 58639
File threats detected : 58

Adware.Vundo/Variant
HKLM\Software\Classes\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32#ThreadingModel
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Programmable
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\TypeLib
HKCR\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID
HKCR\TBSB00808.TBSB00808.3
HKCR\TBSB00808.TBSB00808.3\CLSID
HKCR\TBSB00808.TBSB00808
HKCR\TBSB00808.TBSB00808\CLSID
HKCR\TBSB00808.TBSB00808\CurVer
HKCR\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}
HKCR\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}\1.0
HKCR\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}\1.0\0
HKCR\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}\1.0\0\win32
HKCR\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}\1.0\FLAGS
HKCR\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}\1.0\HELPDIR
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.3\TBCORE3.DLL
HKU\S-1-5-21-2889023103-3262186007-3765939994-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BFB5F154-9212-46F3-B547-AC6106030A54}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{BFB5F154-9212-46F3-B547-AC6106030A54}
HKU\S-1-5-21-2889023103-3262186007-3765939994-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{BFB5F154-9212-46F3-B547-AC6106030A54}
HKLM\Software\Microsoft\Internet Explorer\Extensions\{BFB5F154-9212-46F3-B547-AC6106030A54}
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BFB5F154-9212-46F3-B547-AC6106030A54}
HKCR\Interface\{2A42D13C-D427-4787-821B-CF6973855778}
HKCR\Interface\{2A42D13C-D427-4787-821B-CF6973855778}\ProxyStubClsid
HKCR\Interface\{2A42D13C-D427-4787-821B-CF6973855778}\ProxyStubClsid32
HKCR\Interface\{2A42D13C-D427-4787-821B-CF6973855778}\TypeLib
HKCR\Interface\{2A42D13C-D427-4787-821B-CF6973855778}\TypeLib#Version
HKCR\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}
HKCR\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}\ProxyStubClsid
HKCR\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}\ProxyStubClsid32
HKCR\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}\TypeLib
HKCR\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}\TypeLib#Version
HKCR\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}
HKCR\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\ProxyStubClsid
HKCR\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\ProxyStubClsid32
HKCR\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\TypeLib
HKCR\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\TypeLib#Version

Adware.HBHelper
HKU\S-1-5-21-2889023103-3262186007-3765939994-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKU\S-1-5-21-2889023103-3262186007-3765939994-1000\Software\Microsoft\Internet Explorer\URLSearchHooks#{CA3EB689-8F09-4026-AA10-B9534C691CE0}

Browser Hijacker.Deskbar
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib#Version

#8 jigaman

jigaman
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 23 April 2010 - 09:22 PM

Attaching an image alert I also get as well apart from the ip block alert

Posted Image

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:34 AM

Posted 23 April 2010 - 10:00 PM

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 jigaman

jigaman
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 23 April 2010 - 11:42 PM

Hello,

In safemode when it runs the express scan, everytime it gets to a certain point, the computer just shuts down tried it 3 times now same thing

#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:34 AM

Posted 24 April 2010 - 01:41 AM

Skip it and try this scan instead:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 jigaman

jigaman
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 24 April 2010 - 04:05 AM

unfortunately same things:( and for gmer too. I tried gmer initially before the post and closed all programs, in safemode too but still bleeps down same afor both:(

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:34 AM

Posted 24 April 2010 - 03:59 PM

Try running GMER with only the "Sections" box checked.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#14 jigaman

jigaman
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 24 April 2010 - 08:37 PM

only selection

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-24 23:49:16
Windows 6.0.6001 Service Pack 1
Running: hewggbnr.exe; Driver: C:\Users\Preli\AppData\Local\Temp\pglcapod.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtProtectVirtualMemory 77A88968 5 Bytes JMP 0021000A
.text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtWriteVirtualMemory 77A892A8 5 Bytes JMP 002B000A
.text C:\Windows\system32\svchost.exe[876] ntdll.dll!KiUserExceptionDispatcher 77A899E8 5 Bytes JMP 0020000A
.text C:\Windows\Explorer.EXE[1148] ntdll.dll!NtProtectVirtualMemory 77A88968 5 Bytes JMP 0041000A
.text C:\Windows\Explorer.EXE[1148] ntdll.dll!NtWriteVirtualMemory 77A892A8 5 Bytes JMP 0042000A
.text C:\Windows\Explorer.EXE[1148] ntdll.dll!KiUserExceptionDispatcher 77A899E8 5 Bytes JMP 0040000A

---- EOF - GMER 1.0.15 ----




==================

Partial just before crash<<<<


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-25 00:12:32
Windows 6.0.6001 Service Pack 1
Running: hewggbnr.exe; Driver: C:\Users\Preli\AppData\Local\Temp\pglcapod.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[848] ntdll.dll!NtProtectVirtualMemory 77628968 5 Bytes JMP 002A000A
.text C:\Windows\system32\svchost.exe[848] ntdll.dll!NtWriteVirtualMemory 776292A8 5 Bytes JMP 002B000A
.text C:\Windows\system32\svchost.exe[848] ntdll.dll!KiUserExceptionDispatcher 776299E8 5 Bytes JMP 0029000A
.text C:\Windows\Explorer.EXE[1128] ntdll.dll!NtProtectVirtualMemory 77628968 5 Bytes JMP 0024000A
.text C:\Windows\Explorer.EXE[1128] ntdll.dll!NtWriteVirtualMemory 776292A8 5 Bytes JMP 0025000A
.text C:\Windows\Explorer.EXE[1128] ntdll.dll!KiUserExceptionDispatcher 776299E8 5 Bytes JMP 0023000A

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186dfbeed
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186dfbeed@000a2820d54e 0x45 0x80 0x5D 0x1A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186dfbeed@00054f0f5adf 0xE2 0xD4 0xAF 0x7B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186dfbeed@0022a5881e0c 0x1E 0x37 0x6F 0x6E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186dfbeed@0021fc33a783 0xEB 0x4B 0x72 0xE9 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002186dfbeed (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002186dfbeed@000a2820d54e 0x45 0x80 0x5D 0x1A ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002186dfbeed@00054f0f5adf 0xE2 0xD4 0xAF 0x7B ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002186dfbeed@0022a5881e0c 0x1E 0x37 0x6F 0x6E ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002186dfbeed@0021fc33a783 0xEB 0x4B 0x72 0xE9 ...

#15 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:34 AM

Posted 25 April 2010 - 12:19 AM

Run another Malwarebytes scan and post the log.

Also, let us know how your computer is running.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users