Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google link redirect to random search engine


  • This topic is locked This topic is locked
10 replies to this topic

#1 Azurae

Azurae

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 09 July 2010 - 07:39 PM

Hello,

After getting infected by Rogue.DefenseCenter, I ran antimalwarebyte to get rid of it, but had to force shutdown the computer due to clash between the program trying to install and malwarebyte trying to get rid of it. After I turned on the computer again, Rogue.DefenseCenter seems to vanish but I noticed that when I do a search for anything on google, and click on the link, instead of getting me to the site I wanted, it redirected me to a random search engines or sites. From googling for help on the topic, I run combofix.exe, which I did, and then I run the malwarebytes anti-malware program, and bitdefender online scan (which say no infections) to scan for any other virus. I am posting the logs here (in the order that I do the scan), can some one please check it out for me to see if there is anything else I need to do to completely get rid of the infection? Thanks for your help.

Note: I didn't have the DDS & GMER log because I run the combofix before I know of bleepingcomputer.com and that I am supposed to run DDS & GMER first before combofix.

Attached Files


Edited by Azurae, 10 July 2010 - 07:30 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:33 AM

Posted 12 July 2010 - 06:44 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 Azurae

Azurae
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 13 July 2010 - 03:30 PM

thanks for replying,

I am still here, so far the only thing I did was what I have posted. So far, I haven't seen any redirect yet. However, when Microsoft window defender run, it comes up with a Trojan:Win32/Hiloti.gen!D warning but antimalwarebytes and mcafee virus scan doesn't show any warning.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:33 AM

Posted 13 July 2010 - 05:34 PM

Well, running Combofix without help was not clever: Cue telling off tongue.gif

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

It did remove your major issue which was a rootkit but we need to check if there's anything left.


Run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#5 Azurae

Azurae
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 14 July 2010 - 07:39 PM

Here's my log from Malwarebytes Anti-Malware

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4310

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/13/2010 8:48:55 PM
mbam-log-2010-07-13 (20-48-55).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 268095
Time elapsed: 1 hour(s), 19 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



I ran ESET twice, first time I have to stop at about 34% of the scan and it gives the log that I post below, the second time there's no log produced after it complete scanning.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=9eb31b80a2ac444f92113fdf949bc7fd
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-14 01:36:54
# local_time=2010-07-13 09:36:54 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=14387
# found=2
# cleaned=2
# scan_time=2425
C:\Documents and Settings\hle\Application Data\Sun\Java\Deployment\cache\6.0\37\481c6c65-1499c2b5 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\hle\Application Data\Sun\Java\Deployment\cache\6.0\39\36b0e6a7-326d550c a variant of Java/Exploit.Agent.NAC trojan (deleted - quarantined) 00000000000000000000000000000000 C
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=9eb31b80a2ac444f92113fdf949bc7fd
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-15 12:07:15
# local_time=2010-07-14 08:07:15 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=128434
# found=0
# cleaned=0
# scan_time=15296

Edited by Azurae, 14 July 2010 - 07:40 PM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:33 AM

Posted 15 July 2010 - 04:43 PM

How is the PC running now?
Posted Image
m0le is a proud member of UNITE

#7 Azurae

Azurae
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 17 July 2010 - 10:56 AM

I haven't seen any google redirects so far, so I guess it's working okay for now. Thanks for you help.

ps. Do you know how I can stop my computer from loading up the black screen asking me to start the computer in safe mode or full window xp, then automatically open it in full mode everytime that I reboot the computer?

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:33 AM

Posted 17 July 2010 - 04:40 PM

I think you mean the automatic recovery console window installed by Combofix...

Deleting the Recovery Console

Warning: To remove the Recovery Console you need to modify the Boot.ini file. Modifying this file incorrectly can prevent your computer from starting properly. Please only attempt this step if you feel comfortable doing this.

To remove the Recovery Console from your hard drive follow these steps:

1. Double-click on My Computer and then double-click on the drive you installed the Recovery Console (usually the C: drive).

2. Click on the Tools menu and select Folder Options.

3. Click on the View tab.

4. Select Show hidden files and folders and uncheck Hide protected operating system files.

5. Press the OK button.

6. Now at the root folder delete the Cmdcons folder and the Cmldr file.

7. At the root folder, right-click the Boot.ini file, and then click Properties.

8. Click to clear the Read-only check box, and then click the OK button.

9. Click on Start, then Run and type Notepad.exe c:\boot.ini in the Open: field and press the OK
button.

10. Remove the entry for the Recovery Console. It will look similar to this:

C:\cmdcons\bootsect.dat="Microsoft Windows Recovery Console" /cmdcons

Make sure you only delete that one entry.

11. When you are done, close the notepad and save when it asks.

12. Right click again on the boot.ini file and select Properties.

13. Put a checkmark back in the Read-only checkbox and then press the OK button.

The recovery console should now be removed from your system. smile.gif
Posted Image
m0le is a proud member of UNITE

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:33 AM

Posted 19 July 2010 - 06:58 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#10 Azurae

Azurae
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 20 July 2010 - 06:01 PM

I am sorry I forget to reply, however, I haven't seen any other new problems with the computer so far, so please feel free to close this topic.

Edited by Azurae, 20 July 2010 - 06:02 PM.


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:33 AM

Posted 20 July 2010 - 06:41 PM

Thanks, glad your PC is back to normal thumbup2.gif

-------------------------------------------------------------------

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users