Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random popups, google links redirected, possible browser hijack?


  • This topic is locked This topic is locked
27 replies to this topic

#16 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,404 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:10 AM

Posted 06 May 2010 - 02:27 AM

Hello again,

KASPERSKY ONLINE SCAN
-----------------------------------
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


BC AdBot (Login to Remove)

 


#17 Hollyw00d

Hollyw00d
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 06 May 2010 - 12:39 PM

sorry for the delay, I had to let Kaspersky run over night. None of these really concern me as most are probably false positives outside the one in the Java cache. That one caught my eye right away. Either way, you guys are the pros so have at it =)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, May 6, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, May 06, 2010 03:18:31
Records in database: 4062107
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Objects scanned: 324210
Threats found: 8
Infected objects found: 14
Suspicious objects found: 0
Scan duration: 04:41:45


File name / Threat / Threats count
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\51\158e9633-11a0a78a Infected: Trojan-Downloader.Java.Agent.ce 1
G:\F Drive\Desktop crap\Q3Ademo\demoq3\EXCURSION8.11\Addons\Nukenabber\Report.exe Infected: not-a-virus:NetTool.Win32.NukeNabber.21 1
G:\Games\PacSteam\Inventory.exe Infected: Worm.Win32.AutoRun.bfpz 1
G:\Games\PacSteam\StandAloneCreator\PopCap Downloader.exe Infected: Worm.Win32.AutoRun.bfpz 1
G:\Installers Drive\1-21-10 Install\UPP - New\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
G:\Installers Drive\1-21-10 Install\UPP - New\mirc_upp.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 1
G:\Installers Drive\daemon403-x86.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
G:\Installers Drive\Installers\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
G:\Installers Drive\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
G:\Installers Drive\PolarisXv111.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
G:\Installers Drive\UPP - New\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
G:\Installers Drive\UPP - New\mirc_upp.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 1
G:\New Desktop Items\Vent Flooder\ventrilobotomy.zip Infected: Exploit.Win32.Aluigi.ig 1
G:\New Desktop Items\Vent Flooder\ventrilofp.exe Infected: not-a-virus:NetTool.Win32.Agent.ee 1

Selected area has been scanned.

Attached Files

  • Attached File  kp.txt   2.18KB   5 downloads


#18 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,404 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:10 AM

Posted 06 May 2010 - 01:13 PM

Hello again,

Clear the Java cache:
  1. Go to Start -> Control Panel.
  2. In the Control Panel, double-click the Java icon.
      The Java Control Panel appears.
  3. Click Settings... under "Temporary Internet Files".
      The Temporary Files Settings dialog box appears.
  4. Click Delete Files...
      The Delete Temporary Files dialog box appears.
  5. Click OK on the Delete Temporary Files window.
    NOTE: This deletes all the Downloaded Applications and Applets from the cache!
  6. Click OK on the Temporary Files Settings window.
  7. Close the Java Control Panel.

    You can also view these instructions along with screenshots here.


Let me know if this stopped the browser redirects. also please try to boot in Safe Mode with Networking and let me know if you have there also redirects.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#19 Hollyw00d

Hollyw00d
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 06 May 2010 - 01:33 PM

Very first link in google was a redirect (2-3 actually, it redirects...and then again...and again). Same for safe mode. Persistent eh?

#20 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,404 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:10 AM

Posted 06 May 2010 - 02:32 PM

Hello again,
Please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
  1. Restart your computer
  2. Before Windows loads, you will be prompted to choose which Operating System to start
  3. Use the up and down arrow key to select Microsoft Windows Recovery Console
  4. You must enter which Windows installation to log onto. Type 1 and press enter.
  5. At the C:\Windows prompt, type the following bolded text, and press Enter:

    batch look.bat

    You will see 1 file copied many times then return to the C:\windows> prompt.
  6. At the next prompt type the following bolded text, and press Enter:

    exit

Once back in Windows, go to Start > Run, and copy/paste the following then press Enter.

maxlook -sig

Follow the prompts, and post (or attach) the log produced, C:\looklog.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#21 Hollyw00d

Hollyw00d
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 06 May 2010 - 03:22 PM

I can't boot into the recovery console. When I select it from the OS list it says there has been a hardware configuration problem and any key reboots the machine.

#22 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,404 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:10 AM

Posted 06 May 2010 - 03:28 PM

Please try the following instead. Use your XP CD, or, if you don't have one, create a CD as instructed.

Please download ARCDC from Artellos.com.
  • Double click ARCDC.exe
  • Follow the dialog until you see 6 options. Please pick: Windows Professional SP2 & SP3
  • You will be prompted with a Terms of Use by Microsoft, please accept.
  • You will see a few dos screens flash by, this is normal.
  • Next you will be able to choose to add extra files. Select the Default Files.
  • The last window will allow you to burn the disk using BurnCDCC
Your ISO is located on your desktop.
  • restart the computer.

  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your XP-CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  • A command prompt will open

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#23 Hollyw00d

Hollyw00d
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 06 May 2010 - 03:32 PM

I guess I was a step ahead, I popped in my windows cd instead and went that route. I executed the look.bat and here is the looklog from maxlook

CODE
Run from C:\Documents and Settings\Hollyw00d\Desktop\maxlook.exe on Thu 05/06/2010 at 16:28:45.10

--------- maxlook unsigned files ---------

c:\windows\maxdriver\hdaudbus.sys:
    Verified:    Unsigned
    File date:    3:51 PM 7/5/2007
    Publisher:    Windows (R) Server 2003 DDK provider
    Description:    High Definition Audio Bus Driver v1.0a
    Product:    Microsoft® Windows® Operating System
    Version:    5.10.01.5013
    File version:    5.10.01.5013 built by: WinDDK
c:\windows\maxdriver\hdaudio.sys:
    Verified:    Unsigned
    File date:    3:51 PM 7/5/2007
    Publisher:    Windows (R) Server 2003 DDK provider
    Description:    High Definition Audio Function Driver v1.0a
    Product:    Microsoft® Windows® Operating System
    Version:    5.10.01.5013
    File version:    5.10.01.5013 built by: WinDDK
c:\windows\maxdriver\imagedrv.sys:
    Verified:    Unsigned
    File date:    12:08 PM 8/15/2005
    Publisher:    Ahead Software AG
    Description:    NERO IMAGEDRIVE SCSI miniport
    Product:    Nero ImageDrive
    Version:    2.29.0.0
    File version:    2.29.0.0 built by: WinDDK
c:\windows\maxdriver\imagesrv.sys:
    Verified:    Unsigned
    File date:    12:08 PM 8/15/2005
    Publisher:    Ahead Software AG
    Description:    Nero Image Server
    Product:    Nero ImageDrive
    Version:    2.29.0.0
    File version:    2.29.0.0 built by: WinDDK
c:\windows\maxdriver\mqac.sys:
    Verified:    Unsigned
    File date:    7:48 AM 6/22/2009
    Publisher:    Microsoft Corporation
    Description:    Windows NT MQ Access Control Device Driver
    Product:    Microsoft Message Queue
    Version:    5.01.1111
    File version:    5.01.1111
c:\windows\maxdriver\rspndr.sys:
    Verified:    Unsigned
    File date:    3:52 PM 7/5/2007
    Publisher:    Microsoft Corporation
    Description:    Link-Layer Topology Responder Driver for NDIS 6
    Product:    Microsoft® Windows® Operating System
    Version:    5.1.2600.3029
    File version:    5.1.2600.3029 (xpsp_sp2_qfe.061107-2325)
c:\windows\maxdriver\vcsvad.sys:
    Verified:    Unsigned
    File date:    12:56 PM 12/26/2008
    Publisher:    Avnex
    Description:    Avnex Ltd. Virtual Audio Device (WDM)
    Product:    Avnex Ltd. Virtual Audio Device (WDM)
    Version:    1.0.0.1
    File version:    1.0.0.1
c:\windows\maxdriver\vidstub.sys:
    Verified:    Unsigned
    File date:    7:19 PM 1/21/2010
    Publisher:    n/a
    Description:    n/a
    Product:    n/a
    Version:    n/a
    File version:    n/a

--------- system32\drivers unsigned files ---------

c:\windows\system32\drivers\hdaudbus.sys:
    Verified:    Unsigned
    File date:    3:51 PM 7/5/2007
    Publisher:    Windows (R) Server 2003 DDK provider
    Description:    High Definition Audio Bus Driver v1.0a
    Product:    Microsoft® Windows® Operating System
    Version:    5.10.01.5013
    File version:    5.10.01.5013 built by: WinDDK
c:\windows\system32\drivers\hdaudio.sys:
    Verified:    Unsigned
    File date:    3:51 PM 7/5/2007
    Publisher:    Windows (R) Server 2003 DDK provider
    Description:    High Definition Audio Function Driver v1.0a
    Product:    Microsoft® Windows® Operating System
    Version:    5.10.01.5013
    File version:    5.10.01.5013 built by: WinDDK
c:\windows\system32\drivers\imagedrv.sys:
    Verified:    Unsigned
    File date:    12:08 PM 8/15/2005
    Publisher:    Ahead Software AG
    Description:    NERO IMAGEDRIVE SCSI miniport
    Product:    Nero ImageDrive
    Version:    2.29.0.0
    File version:    2.29.0.0 built by: WinDDK
c:\windows\system32\drivers\imagesrv.sys:
    Verified:    Unsigned
    File date:    12:08 PM 8/15/2005
    Publisher:    Ahead Software AG
    Description:    Nero Image Server
    Product:    Nero ImageDrive
    Version:    2.29.0.0
    File version:    2.29.0.0 built by: WinDDK
c:\windows\system32\drivers\mqac.sys:
    Verified:    Unsigned
    File date:    7:48 AM 6/22/2009
    Publisher:    Microsoft Corporation
    Description:    Windows NT MQ Access Control Device Driver
    Product:    Microsoft Message Queue
    Version:    5.01.1111
    File version:    5.01.1111
c:\windows\system32\drivers\rspndr.sys:
    Verified:    Unsigned
    File date:    3:52 PM 7/5/2007
    Publisher:    Microsoft Corporation
    Description:    Link-Layer Topology Responder Driver for NDIS 6
    Product:    Microsoft® Windows® Operating System
    Version:    5.1.2600.3029
    File version:    5.1.2600.3029 (xpsp_sp2_qfe.061107-2325)
c:\windows\system32\drivers\vcsvad.sys:
    Verified:    Unsigned
    File date:    12:56 PM 12/26/2008
    Publisher:    Avnex
    Description:    Avnex Ltd. Virtual Audio Device (WDM)
    Product:    Avnex Ltd. Virtual Audio Device (WDM)
    Version:    1.0.0.1
    File version:    1.0.0.1
c:\windows\system32\drivers\vidstub.sys:
    Verified:    Unsigned
    File date:    7:19 PM 1/21/2010
    Publisher:    n/a
    Description:    n/a
    Product:    n/a
    Version:    n/a
    File version:    n/a



#24 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,404 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:10 AM

Posted 07 May 2010 - 01:46 AM

That looks perfectly clean to me.

OTL FIX
------------
We need to run an OTL Fix
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :commands
    [emptytemp]
    [resethosts]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#25 Hollyw00d

Hollyw00d
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 07 May 2010 - 11:31 AM

Here is the latest OTL report. Google search results still being redirected.

All processes killed
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41620 bytes

User: Hollyw00d
->Temp folder emptied: 117044883 bytes
->Temporary Internet Files folder emptied: 13929633 bytes
->Java cache emptied: 1 bytes
->FireFox cache emptied: 42382251 bytes
->Google Chrome cache emptied: 819568 bytes
->Flash cache emptied: 109522 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 2793 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 15616058 bytes
->Java cache emptied: 9567 bytes
->Flash cache emptied: 25232 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2181852 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 55509399 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33529 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 236.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.4.1 log created on 05072010_030305

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


#26 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,404 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:10 AM

Posted 07 May 2010 - 11:44 AM

Please rerun GMER. Now after the quick scan finishes, also run the complete scan (this may take a while) and post me the results. Instructions are in my first post.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#27 Hollyw00d

Hollyw00d
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 10 May 2010 - 07:17 AM

sorry, been out of commission for a few days. GMER kept crashing, I kept trying to run it both in normal windows and in safe mode slowly unchecking things to no avail. Havent had much progress at all. Symptoms havent changed at all and even though my google links being redirected is but a minor annoyance, both Chrome and IE were still out of commission. I grabbed my Windows 7 dvd and made the pain go away.

I want to say thanks to Elise though for her time and help and I'll be sure to be checking other threads similar to mine out of curiosity to see how this thing finally gets taken out. You can close this thread =)

#28 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,404 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:10 AM

Posted 10 May 2010 - 07:40 AM

I am sorry to hear we didn't figure things out and fix it, but glad you now have at least your computer working again smile.gif

I will now close this topic, if you need it reopened, please send me a PM.

Find below some general information you might find interesting.

Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.
Some more links you might find of interest:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users