Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirect


  • Please log in to reply
5 replies to this topic

#1 john619

john619

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 29 June 2010 - 09:32 AM

Malwarebytes has quarentined 23 items, however I'm still getting browser redirect, and this stuff is pretty wierd.
sends you to a white screen with a "type in the numbers as you see them in the box screen" with a big 'GO' button. Also still getting the bogus Windows update balloon from the taskbar, saying there are security updates available. I am infected with AV Suie AND Defence Center.

BC AdBot (Login to Remove)

 


#2 john619

john619
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 29 June 2010 - 03:59 PM

I can be a little more specific...Window XP Pro OS, I ran malwarebytes that I got off this forum, from th self help post for how to remove Defence Center. My machine got infected with Defence Center, and AV security suite in rapid succession, from the browser redirect function of AV, when I allowed myself to be unwittingly redirected righ into a site that was infected by Defence Center. The Malwarebytes scans are now coming in clean, and the machine works normally in every way, except for when I try to use a search engine link in Google, it sends me off into other random directories, and also at times to a login type screen, where I am asked to enter a scrambled code (like when you sign up for sometig legit on the web) and click 'go' or 'start', which of cpourse I do not do. interestingly enough, when this occurs, the little voice ballon pops up off my toolbar telling me Windows updates are ready to be downloaded. I suspect this function is part of the virus, because Defence Center used this originally as part of the ransom to try to make you buy it. Anyways I hve not deleted any of the quarentined files from malwrebytes yet, so I could post them here if anybody wants to see them. I m also running Hijck this, so my scan log from there is also available.

#3 john619

john619
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 29 June 2010 - 04:00 PM

I can be a little more specific...Window XP Pro OS, I ran malwarebytes that I got off this forum, from th self help post for how to remove Defence Center. My machine got infected with Defence Center, and AV security suite in rapid succession, from the browser redirect function of AV, when I allowed myself to be unwittingly redirected righ into a site that was infected by Defence Center. The Malwarebytes scans are now coming in clean, and the machine works normally in every way, except for when I try to use a search engine link in Google, it sends me off into other random directories, and also at times to a login type screen, where I am asked to enter a scrambled code (like when you sign up for sometig legit on the web) and click 'go' or 'start', which of cpourse I do not do. interestingly enough, when this occurs, the little voice ballon pops up off my toolbar telling me Windows updates are ready to be downloaded. I suspect this function is part of the virus, because Defence Center used this originally as part of the ransom to try to make you buy it. Anyways I hve not deleted any of the quarentined files from malwrebytes yet, so I could post them here if anybody wants to see them. I m also running Hijck this, so my scan log from there is also available.

#4 kennzsniper

kennzsniper

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:05 PM

Posted 29 June 2010 - 04:49 PM

Please post the MBAM logs.
Hardware tech when I was in college.
1st job was a network support for SOHO
2nd job was lappy tech
3rd Job way out of my league but its nice...

#5 john619

john619
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 29 June 2010 - 06:03 PM

1st run

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4252

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

6/29/2010 7:04:30 AM
mbam-log-2010-06-29 (07-04-30).txt

Scan type: Full scan (C:\|)
Objects scanned: 182519
Time elapsed: 25 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\pragma (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\PRAGMAtftapinlns (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\John R&R\Local Settings\Application Data\ofkuveyib\gofccqvtssd.exe (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.
C:\Documents and Settings\John R&R\Local Settings\Temp\188b59aa.exe (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.
C:\Documents and Settings\John R&R\Local Settings\Temp\AUTMGR32.EXE (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\John R&R\Local Settings\Temp\mschrt20ex.dll (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\PROGS\compuMsg.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D1F3FA24-B057-45C4-A3EC-606223C0383D}\RP947\A0043437.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D1F3FA24-B057-45C4-A3EC-606223C0383D}\RP947\A0043438.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D1F3FA24-B057-45C4-A3EC-606223C0383D}\RP947\A0043439.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D1F3FA24-B057-45C4-A3EC-606223C0383D}\RP949\A0043550.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D1F3FA24-B057-45C4-A3EC-606223C0383D}\RP949\A0043563.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D1F3FA24-B057-45C4-A3EC-606223C0383D}\RP949\A0043564.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\John R&R\Local Settings\Temp\pragmamainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

and then...

alwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4252

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/29/2010 7:13:02 AM
mbam-log-2010-06-29 (07-13-02).txt

Scan type: Full scan (C:\|)
Objects scanned: 14405
Time elapsed: 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

and then...

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4252

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/29/2010 1:12:20 PM
mbam-log-2010-06-29 (13-12-20).txt

Scan type: Full scan (C:\|)
Objects scanned: 186241
Time elapsed: 28 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{D1F3FA24-B057-45C4-A3EC-606223C0383D}\RP950\A0044782.exe (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D1F3FA24-B057-45C4-A3EC-606223C0383D}\RP950\A0044783.dll (Spyware.Agent) -> Quarantined and deleted successfully.

and again

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4252

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/29/2010 3:21:40 PM
mbam-log-2010-06-29 (15-21-40).txt

Scan type: Full scan (C:\|)
Objects scanned: 185413
Time elapsed: 30 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I have not attempted to use a search engine link since it scanned clen, but that seems to be the sequence......MBAM cleans it up, then it grabs on again when I try to use a link...I'm fine as long as I type directly into the browser bar. Machine seems fine otherwise
Thanks in advance for the help!!!!!!
If it makes any difference, I have my own storebought official copy of my OS from Microsoft. (XP Pro)
Also, there are backup files saved on my Hijack this that I removed prior to running MBAM, but I'm not sure how to copy them into this format, simple cut and paste doesn't work

#6 john619

john619
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 01 July 2010 - 02:13 AM

If you are having this problem, read the post from budapest to grevpivot, and download the tdsskiller tool, that seemed to finally stop the browser redirect problem on my machine. Good looking out Budapest :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users