Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect problem


  • This topic is locked This topic is locked
18 replies to this topic

#1 reddead45

reddead45

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 15 June 2010 - 09:22 PM

Howdy,

I'm running XP Professional 2002 SP3

Last week, I've found my Google search result links have redirected me specifically to sites such as tazinga.com & kdirectory.co.uk. I ran Malwarebytes' Anti-Malware in Safe Mode and successfully removed 3 "Trace.Malware" files. All was well until a couple days later, and since have had the same problems. Malwarebytes' has not since detected anything else. My computer has been a bit slower. Sometimes my taskbar freezes, and I'm unable to open the Task Manager with Ctrl+Alt+Del as well as Ctrl+Shift+Esc.

However, the latter problem may not be according to the Google redirect. That is my primary concern.

Any help or advice, programs to download would be greatly appreciated. Thank you very much for your time.

EDIT: Really sorry; I suppose this belongs on another forum?

Edited by reddead45, 15 June 2010 - 09:33 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:03 PM

Posted 15 June 2010 - 10:21 PM

Hello and welcome. I am moving this to the Am I Infected forum from XP, as I need to see some logs.

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware

, Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you

should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.



Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 reddead45

reddead45
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 16 June 2010 - 12:19 AM

I apologize for the delay. My regular user account has not been logged into for maybe a year. Should I still do so, and perhaps have to download several updates upon the log-in?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:03 PM

Posted 16 June 2010 - 08:46 AM

Hi, you can scan all users. Most important is the one you use the most.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 reddead45

reddead45
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 16 June 2010 - 10:59 PM

Thanks, boopme. Embarrassingly, here are the two logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/16/2010 at 04:18 AM

Application Version : 4.39.1002

Core Rules Database Version : 5071
Trace Rules Database Version: 2883

Scan type : Complete Scan
Total Scan Time : 00:39:29

Memory items scanned : 296
Memory threats detected : 0
Registry items scanned : 7394
Registry threats detected : 0
File items scanned : 21110
File threats detected : 19

Adware.Flash Tracking Cookie
C:\Documents and Settings\Sam_2\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\9VT2DLYN\FILES.YOUPORN.COM
C:\Documents and Settings\Sam_2\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\9VT2DLYN\STATIC.YOUPORN.COM
C:\Documents and Settings\Sam_2\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\9VT2DLYN\VIDEOMEDIA.IGN.COM

Adware.Tracking Cookie
convoad.technoratimedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\QUKN3MHA ]
core.insightexpressai.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\QUKN3MHA ]
media.scanscout.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\QUKN3MHA ]
media1.break.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\QUKN3MHA ]
objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\QUKN3MHA ]
secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\QUKN3MHA ]
C:\Documents and Settings\NetworkService\Cookies\system@enhance[2].txt
files.youporn.com [ C:\Documents and Settings\Sam_2\Application Data\Macromedia\Flash Player\#SharedObjects\9VT2DLYN ]
static.youporn.com [ C:\Documents and Settings\Sam_2\Application Data\Macromedia\Flash Player\#SharedObjects\9VT2DLYN ]
videomedia.ign.com [ C:\Documents and Settings\Sam_2\Application Data\Macromedia\Flash Player\#SharedObjects\9VT2DLYN ]

Trojan.Agent/Gen-CDesc[Gen]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F717886B-0BB3-48E8-B9AB-52F560980F3A}\RP56\A0018721.EXE

Rogue.SysinternalsAntiVirus
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F717886B-0BB3-48E8-B9AB-52F560980F3A}\RP57\A0021126.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F717886B-0BB3-48E8-B9AB-52F560980F3A}\RP58\A0021180.EXE

Rogue.XJRAntiVirus
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F717886B-0BB3-48E8-B9AB-52F560980F3A}\RP57\A0021136.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F717886B-0BB3-48E8-B9AB-52F560980F3A}\RP57\A0021156.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F717886B-0BB3-48E8-B9AB-52F560980F3A}\RP58\A0021165.DLL

_________________________________________________________________________________








Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4173

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/16/2010 9:31:14 PM
mbam-log-2010-06-16 (21-31-14).txt

Scan type: Quick scan
Objects scanned: 125286
Time elapsed: 13 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 reddead45

reddead45
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 17 June 2010 - 12:07 AM

Although the computer seems to run better I still have the occasional pop-up from directdr.com when checking my e-mail or other websites. Unfortunately, I didn't mention this problem (didn't think it was one) earlier, and assumed it was related to the previous one.

Otherwise, everything is still better than before, so thanks for your time.

Edited by reddead45, 17 June 2010 - 12:08 AM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:03 PM

Posted 17 June 2010 - 10:17 AM

Doesn't look so bad. Maybe we can get that last one with an Online scan.

ESET
Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to start. (please be patient as the scan could take some time to complete)
  • If offered the option to get information or buy software. Just close the window.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\ESET\ESET Online Scanner\log.txt
    folder.
  • Click Posted Image > Run..., then copy and paste this command into the open box: C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad. Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 reddead45

reddead45
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 17 June 2010 - 11:45 AM

Internet Explorer gives my computer huge problems. A few minutes ago I tried loading this forum. Couldn't reach this thread before my browser froze, the stop button froze in place when I clicked on it, and same with the Start button and taskbar. I had to force shutdown.

I only used IE for an online class, and I refuse to use it for anything else. Is there a way around this? I'll try this one more time.

#9 reddead45

reddead45
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 17 June 2010 - 11:18 PM

Nevermind the previous post. Here is the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17023 (vista_gdr.100222-0012)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=9c77bdbdd75875418f65fdb63f138448
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-18 05:02:34
# local_time=2010-06-17 10:02:34 (-0800, Pacific Daylight Time)
# country="Japan"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 8312181 8312181 0 0
# compatibility_mode=4352 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=51924
# found=1
# cleaned=1
# scan_time=10738
C:\Documents and Settings\Sam\Local Settings\Application Data\Mozilla\Firefox\Profiles\ec7umjuu.default\Cache(3)\6AD4B9C3d01 JS/Exploit.Pdfka.OAK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:03 PM

Posted 18 June 2010 - 11:23 AM

Looking a lot better ,how's it running?
What version of JAVA is running?
Go into Control Panel>Add Remove Programs. Be sure the 'Show Updates' box is checked. Go down the list and tell me what Java applications are installed and their version. (Highlight the program to see this).
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 reddead45

reddead45
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 18 June 2010 - 01:34 PM

Hi,

All I see is Java 6 Update 20 (which is Version 6.0.200 under support information).

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:03 PM

Posted 18 June 2010 - 04:19 PM

Ok,that's the good one.. Let's check for a rootkit then...

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 reddead45

reddead45
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 19 June 2010 - 12:11 AM

Here's the log. I believe there was a conflict with Trend Micro being open, so I exited and restarted the scan.



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-18 22:05:52
Windows 5.1.2600 Service Pack 3
Running: 707ex4j3.exe; Driver: C:\DOCUME~1\Sam\LOCALS~1\Temp\pxtdqpog.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1468] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0074000A
.text C:\WINDOWS\System32\svchost.exe[1468] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1468] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0073000C
.text C:\WINDOWS\System32\svchost.exe[1468] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 018D000A
.text C:\WINDOWS\System32\svchost.exe[1468] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E3000A
.text C:\WINDOWS\Explorer.EXE[1840] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1840] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C3000A
.text C:\WINDOWS\Explorer.EXE[1840] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BC000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2196] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0121000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2196] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0122000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2196] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0120000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo® video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo® video 5.10 Compression Filter@FriendlyName Indeo? video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo® video 5.10 Compression Filter@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo® video 5.10 Compression Filter@FilterData 0x02 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo® video 5.10 Compression Filter@EncoderType 1

---- EOF - GMER 1.0.15 ----

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:03 PM

Posted 19 June 2010 - 08:58 AM

Your HOSTS file may be infected. So let's replace it, reboot in Safe Mode with Networking.
Click on Start then Run and type: %windir%\system32\drivers\etc\
Delete the following file: C:\WINDOWS\system32\drivers\etc\hosts

While in safe mode, launch MBAM and try to update the definition database. DO NOT scan yet. Reboot normally, then perform a new Quick Scan and check all items found for removal. You must reboot normally after the scan to remove the malware.

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 reddead45

reddead45
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 19 June 2010 - 02:40 PM

Every box was checked in the General and Scanner settings. Is that correct? Here is the log:




Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4216

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2010/06/19 12:22:50
mbam-log-2010-06-19 (12-22-50).txt

Scan type: Quick scan
Objects scanned: 138751
Time elapsed: 17 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users