Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Torpig/ Google redirect..cant shake it ???????????


  • Please log in to reply
10 replies to this topic

#1 Jason*

Jason*

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 14 July 2010 - 08:36 PM

Hey all.
Hopefully someone can help me so I can save some money on the suicide hot line I have been on...lol

Windows XP SP2

Computer runs fairly fast..could always run faster but not the issue.

Okay.I have ran MWB and SAS both logs are attached.I ran a check to see if redirects...Yupp.I put in a topic to Google search and it displays the results, but when I click on one, it always send me somewhere else.
I also get phishing sites when I go to my bank or similar websites which ask for all kinds of personal info ( which of course I don't give)They are look alike pages from the bank.
I ran these not in safe mode.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4314

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

7/14/2010 2:54:42 PM
mbam-log-2010-07-14 (14-54-42).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|F:\|P:\|)
Objects scanned: 292059
Time elapsed: 1 hour(s), 36 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Here is SAS

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/14/2010 at 04:46 PM

Application Version : 4.39.1002

Core Rules Database Version : 5200
Trace Rules Database Version: 3012

Scan type : Complete Scan
Total Scan Time : 01:38:08

Memory items scanned : 712
Memory threats detected : 0
Registry items scanned : 7835
Registry threats detected : 0
File items scanned : 35079
File threats detected : 10

Adware.Tracking Cookie
C:\Documents and Settings\Jason \Cookies\jason@ad.wsod[2].txt
C:\Documents and Settings\Jason \Cookies\jason@invitemedia[2].txt
C:\Documents and Settings\Jason \Cookies\jason@ads.nascar[1].txt
media.mtvnservices.com [ C:\Documents and Settings\Jason \Application Data\Macromedia\Flash Player\#SharedObjects\H3GR7CEX ]
media.scanscout.com [ C:\Documents and Settings\Jason o\Application Data\Macromedia\Flash Player\#SharedObjects\H3GR7CEX ]
objects.tremormedia.com [ C:\Documents and Settings\Jason \Application Data\Macromedia\Flash Player\#SharedObjects\H3GR7CEX ]
secure-us.imrworldwide.com [ C:\Documents and Settings\Jason \Application Data\Macromedia\Flash Player\#SharedObjects\H3GR7CEX ]

Adware.Flash Tracking Cookie
C:\Documents and Settings\Jason \Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\H3GR7CEX\MEDIA.MTVNSERVICES.COM
C:\Documents and Settings\Jason \Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\H3GR7CEX\OBJECTS.TREMORMEDIA.COM
C:\Documents and Settings\Jason \Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\H3GR7CEX\SECURE-US.IMRWORLDWIDE.COM


Still have the redirects.



I will run Esets overnight and report back.

Any help would be appreciated.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:29 AM

Posted 14 July 2010 - 09:58 PM

Also press CTRL+SHIFT+ESC, this opens Task Manager to the processes Tab.
Look for and end these if there
ibm00001.exe
country.exe


Next search for these ,,,
Right-click on the file and then click on the Delete button.
ibm00001.dll
ibm00002.dll
ibm00003.dll
ibm00004.dll
ibm00001.exe
ibm00003.exe


Torpig will log keystrokes. I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.



let me know after ESET

Edited by boopme, 14 July 2010 - 09:59 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Jason*

Jason*
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 15 July 2010 - 12:10 PM

Also press CTRL+SHIFT+ESC, this opens Task Manager to the processes Tab.
Look for and end these if there
ibm00001.exe
country.exe


Next search for these ,,,
Right-click on the file and then click on the Delete button.
ibm00001.dll
ibm00002.dll
ibm00003.dll
ibm00004.dll
ibm00001.exe
ibm00003.exe


Torpig will log keystrokes. I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.



let me know after ESET


Hello,and thanks for your help.

I ran the Eset. I also ran a search for all those files and nothing came up.. I also checked the Task manager and none of those other ones were there.
Still getting redirects after the Eset :thumbsup:

Eset Log


C:\RECYCLER\S-1-5-21-3444262483-3352509391-4166364046-1007\Dc98.exe a variant of Win32/SecurityStronghold application deleted - quarantined
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1345\A0555045.exe a variant of Win32/SecurityStronghold application deleted - quarantined

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:29 AM

Posted 15 July 2010 - 12:49 PM

If still redirecting>>>
Change your DNS Servers:
  • Go to Posted Image > Run... and in the open box, type: cmd
  • Press OK or Hit Enter.
  • At the command prompt, type or copy/paste: ipconfig /flushdns
  • Hit Enter.
  • You will get a confirmation that the flush was successful.
  • Close the command box.
If the above commands did not resolve the problem, the next thing to try is to reset your network settings and Configure TCP/IP to use DNS.
  • Go to Posted Image > Control Panel, and choose Network Connections.
  • Right-click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and and choose Properties.
  • Double-click on Internet Protocol (TCP/IP) or highlight it and select Properties.
  • Under the General tab, write down any settings in case you should need to change them back.
  • Select the button that says "Obtain an IP address automatically" or make sure the DNS server IP address is the same as provided by your ISP.
  • Select the button that says "Obtain DNS servers automatically".
  • If unknown Preferred or Alternate DNS servers are listed, uncheck the box that says "Use the following DNS server address".
  • Click OK twice to get out of the properties screen and restart your computer. If not prompted to reboot go ahead and reboot manually.
-- Vista users can refer to How to Change TCP/IP settings

CAUTION: It's possible that your ISP (Internet Service Provider) requires specific DNS settings here. Make sure you know if you need these settings or not BEFORE you make any changes or you may lose your Internet connection. If you're sure you do not need a specific DNS address,
then you may proceed.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Jason*

Jason*
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 15 July 2010 - 01:16 PM

Hey !
Okay,the flushing worked for the redirects.
I tried two financial establishments and still got the dummy pages coming up asking me about all kinds of personal info?
They are pages that look like the original sites,I called them,they are not though.
? :thumbsup: So frustrating.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:29 AM

Posted 15 July 2010 - 02:45 PM

Ok, well pretty good. Let's run this,it IS long.,,,
Drweb-cureit

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the anti-virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Jason*

Jason*
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 16 July 2010 - 12:05 PM

Okay.You were right, that took a long time.
On the first sweep in express scan, it grabbed the Backdoor trojan.It went all the way through and made me reboot to get rid of it.After that I had to run express again to get to complete scan.Both of the next scans came up clean.
I tried the banking sites again and no more phishing :thumbsup: :flowers:
Thanks soo much.

Any tips on good surfing / firewall protection to keep this from happening again?

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:29 AM

Posted 16 July 2010 - 12:43 PM

You are welcome from all of us here. :thumbsup:
If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Jason*

Jason*
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 16 July 2010 - 12:56 PM

Thanks for all the info.I will read up.
Is Returnil a good idea to run? Or Sandboxie ?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:29 AM

Posted 16 July 2010 - 01:06 PM

I and a few others here prefer sandboxie...
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Jason*

Jason*
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 16 July 2010 - 01:12 PM

Sounds good.I will try that one.

Have a great weekend,thanks for the great site !!!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users