Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Online protection tool virus and google redirect virus..


  • This topic is locked This topic is locked
10 replies to this topic

#1 Havoc079

Havoc079

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 13 May 2010 - 05:50 PM

I just completely reinstalled my windows and i'm still getting redirecting and i'm also still not able to get onto malwarebytes site and i can't use microsoft update or download.. Is there a chance when i put some stuff on my flash drive that when i took the drivers off that flash drive to update my computer it could have reinfected me? if so what do i need to do to a. clean this off and b. clean my flash drive
any help will be greatly appreciated

i've scanned this computer 3 times and gotten the same problems each time.. ill post the most recent first and the other two in following replies

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4095

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

5/13/2010 3:28:54 AM
mbam-log-2010-05-13 (03-28-54).txt

Scan type: Full scan (C:\|)
Objects scanned: 126124
Time elapsed: 8 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.161.105 93.188.166.105 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{648e4f26-bd48-4bda-b906-dd725a4d48d7}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.161.105 93.188.166.105 1.2.3.4 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Edited by Havoc079, 13 May 2010 - 05:54 PM.


BC AdBot (Login to Remove)

 


#2 Havoc079

Havoc079
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 13 May 2010 - 05:53 PM





this is the very first scan i did as you can tell by the times these were all done within a relatively short time.. the only reasosn the first one i posted has 3:30 time is because i changed my clock from pacific to eastern in the middle of the scan.. all 3 scans were done within an hour of each other and i haven't been to very many sites to pick up anything at all and all 3 have the same dsnc changer

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4095

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

5/12/2010 11:55:56 PM
mbam-log-2010-05-12 (23-55-56).txt

Scan type: Full scan (C:\|)
Objects scanned: 119747
Time elapsed: 8 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.161.105 93.188.166.105 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{648e4f26-bd48-4bda-b906-dd725a4d48d7}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.161.105 93.188.166.105 1.2.3.4 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



this is the second scan that i did when i included my flash drive which i think might have been infected with a few files taht i took off and put on there before i reinstalled windows so i could ahve them backed up.. heres' the log for that
as you can see in all 3 i'm getting the same trojan and it will not go away. its causing redirects and i can't update microsoft and i can't install avg and I got the same online protection tool virus pop up earlier on firefox
help please this is getting rediculous

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4095

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

5/13/2010 12:18:43 AM
mbam-log-2010-05-13 (00-18-43).txt

Scan type: Full scan (J:\|)
Objects scanned: 113313
Time elapsed: 2 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.161.105 93.188.166.105 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{648e4f26-bd48-4bda-b906-dd725a4d48d7}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.161.105 93.188.166.105 1.2.3.4 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
J:\il0byu3h.com (Spyware.OnlineGames) -> Quarantined and deleted successfully.


i've also went back adn just checked my registery and BOTH of those files that were supposedly deleted are still there.. any help is greatly appreciated.. Sorry if its a little jumbled or by some chance unreadable if the logs are too close together or anything let me know and i can repost them as needed

thanks in advance




#3 SpySentinel

SpySentinel

  • Staff Emeritus
  • 2,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The United States
  • Local time:08:12 AM

Posted 13 May 2010 - 07:20 PM

Hi Havoc079,

Welcome to Bleeping Computer smile.gif



Please download ComboFix from
Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  2. During the download, rename Combofix to Combo-Fix as follows:





  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
  7. Double click on combo-Fix.exe & follow the prompts.
  8. When finished, it will produce a report for you.
  9. Please post the "C:\Combo-Fix.txt" for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**




DNS Changer infection


Please read this post completely, it may make it easier if you copy and paste this post to a new text document or print it for reference later. This will especially help you when your computer is off line.

Also copy this link for router passwords - see below
http://www.phenoelit-us.org/dpl/dpl.html

Copy this link for video tutorial - see below
http://onguardonline.gov/tutorials/index.h...orials-wireless


Some things here to know.

DNS changer infects your router.

We need to clean your machine again, off line, so that the router can't re-infect your computer.

Before you use the router again we want to re-set it to it's default settings to remove the infection and stop it coming back.

Some routers you can re-set quite easily just by rebooting them others need a different approach. Some types of internet (i.e. DSL connections that use PPPoE in the router), you will need to know the data to re-setup the router itself.

What I am going to do now is give you some instructions that work in most cases.

If however it doesn't work for you, you will lose internet connection and will need to talk to your router provider to ascertain how to re-setup your router.


You have used Malwarebytes before.

If you no-longer have Malwarebytes please download it.

Next disconnect your system from the internet, and your router, then…

Double Click mbam-setup.exe to install the application.
  • Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


===============================================

Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you don’t know the router's default password, you can look it up HERE

However, if there are other Zlob-infected machines using the same router, they will need to be cleared with the above steps before resetting the router. Otherwise, the malware will simply go back and change the router's DNS settings. You also need to reconfigure any security settings you had in place prior to the reset. Check out this site here for video tutorials on how to properly configure your router's encryption and security settings. You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

Once you have ran Malwarebytes' Anti-Malware on the infected system, and reset the router to its default configuration you can reconnect to the internet, and router. Then return to this site to post your logs.
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.

#4 Havoc079

Havoc079
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 13 May 2010 - 08:01 PM

2 questions.. i've used combo fix in the past and when i was done with it I would be unable to use internet explorer or certain messengers even after a restart and the only way to get back to using it was to do a system restore.. not sure if that will happen in the current shape since i've reinstalled windows.. If this happens what do i do about it to get it back.. And the second question is i'm using a friends wireless for the time being and not exactly sure what his router numbers are etc etc.. With me doing this on my end will it be pointless if i clean my computer and then reconnect to his router and then just reinfect myself? I'm Pretty sure i know where the infection came from and that its on my computer only. Am i transfering this to his computer as well and anything else connected to the network or is it basically staying on my end.. I'm using a linkys speedbooster adapter to use his network if that helps in the matter at all.. I've downloaded combo fix and renamed it during the download and will run that in a few moments


#5 SpySentinel

SpySentinel

  • Staff Emeritus
  • 2,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The United States
  • Local time:08:12 AM

Posted 14 May 2010 - 11:59 PM

QUOTE
And the second question is i'm using a friends wireless for the time being and not exactly sure what his router numbers are etc etc.. With me doing this on my end will it be pointless if i clean my computer and then reconnect to his router and then just reinfect myself?



Yes, we need to reset the router so that you don't get redirected anymore.


QUOTE
i've used combo fix in the past and when i was done with it I would be unable to use internet explorer or certain messengers even after a restart and the only way to get back to using it was to do a system restore.. not sure if that will happen in the current shape since i've reinstalled windows..


Did ComboFix find any infection when you ran it? Your Internet Explorer may have been infected.


Once you get ComboFix to run go ahead and post the results here.
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.

#6 Havoc079

Havoc079
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 15 May 2010 - 02:01 AM

Hey thanks for your quick reply.. I actually didnt get a chance to run combofix but i had to run malwarebytes on one of those anti virus bugs to get rid of it.. after i ran malwarebytes it got rid of it but would not allow me to use explorer or yahoo messenger afterwords.. I''m using a friends wireless like i said so I can't exactly just reset the router right now.. Long story short I did another reformat and install of windows and the redirecting problems and the online virus bug doens't seem to be there so I think i'm fine now.. For future reference though if somethign happens again and I run malwarebytes how do i go about getting explorer and my messenger to work again.. Firefox was runnning fine though..

Thanks for all your help its really appreciated


#7 Havoc079

Havoc079
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 15 May 2010 - 02:04 AM

one more quick question as well.. Is it possible my flash drive is corrupted but it only stuck to audio and pictures andd didnt get into the driver's files? Or was it somehow the virus was still on the computer after the first reinstall and i completely wiped it on the second formating? I'm just curious cause i have music on the flash drive i might want to put back on here sometime and dont want to really risk it if its possiblly on there and get reinfected on here


#8 SpySentinel

SpySentinel

  • Staff Emeritus
  • 2,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The United States
  • Local time:08:12 AM

Posted 16 May 2010 - 08:37 PM

Thanks for letting me know about the reformat.

QUOTE
For future reference though if somethign happens again and I run malwarebytes how do i go about getting explorer and my messenger to work again.. Firefox was runnning fine though..


MBAM should nor cause this issue unless your computer is infected with a patching virus like Virut or Sality, in which case you are better off reformatting anyway.


QUOTE
I'm just curious cause i have music on the flash drive i might want to put back on here sometime and dont want to really risk it if its possiblly on there and get reinfected on here


Did you install anything onto the Flash Drive from the infected computer while it was infected?
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.

#9 Havoc079

Havoc079
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 17 May 2010 - 02:35 AM

I've had that issue with malwarebytes and combo fix in the past where i'd have used either and then i could not use explorer or yahoo messenger and then i'd have to do a system restore to a few days to a week earlier and then everything would be fine.. Not exactly sure what the deal is with that. I was just asking for future reference if it happend again..

As for the reformat this being the second one i completely deleted the partition this time and reinstalled it again.. I only took off the drivers and files i needed to get windows back online off the flash drive ths time and i haven't had any problems at all.. I'm not sure if it was the total deletion of the partition before the reformat that fixed things or that i just took off those drivers.. I'm not sure how that works with a virus on a flash drive... last time i took off the drivers, an rar file of pictures and one audio file.. but everyone of the files i took off had been on the flash drive for 6 months or longer and have never had a problem.... I did however put a few files on the flash drive before the first reinstall of windows but if they infected the rar and the audio file wouldn't they have infected the driver files as well? And if it is possibly infected is there anyway to clean it out?

Again thanks for all your help its greatly appreciated

#10 SpySentinel

SpySentinel

  • Staff Emeritus
  • 2,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The United States
  • Local time:08:12 AM

Posted 23 May 2010 - 03:50 PM

Sorry for the delay.

I'd like to see two more scans to make sure you are clean:


  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)




Run ESET Online Scan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
You can refer to this animation by neomage if needed.
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.

#11 SpySentinel

SpySentinel

  • Staff Emeritus
  • 2,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The United States
  • Local time:08:12 AM

Posted 05 June 2010 - 10:55 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact me or antother staff member.

Everyone else please start a new thread.
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users