Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yet Another Google Redirect


  • Please log in to reply
13 replies to this topic

#1 DixieDiva

DixieDiva

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 02 September 2010 - 03:25 PM

I'm using Windows XP and Firefox 3.6.8
Ran TDSS Killer which came up clean
Updated and ran Malwarebytes which found and repaired 9 problems after reboot. Now the scan comes up clean
Updated and ran Super Antispyware which found and repaired 10 problems after reboot. Now the scan comes up clean

Each time I open a new FF tab, the address bar is blank and a fake Google custom search bar appears on the page. Also redirects real Google searches.

Thanks in advance for the help!

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:07 PM

Posted 03 September 2010 - 01:09 AM

Can you post the log files from SAS and MBAM?

#3 DixieDiva

DixieDiva
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 03 September 2010 - 08:15 AM

Do I need to post these here or on a different board? Just a little confused about that. Thanks!


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4532

Windows 5.1.2600 Service Pack 3, v.3264
Internet Explorer 8.0.6001.18702

9/2/2010 2:53:55 PM
mbam-log-2010-09-02 (14-53-55).txt

Scan type: Quick scan
Objects scanned: 131571
Time elapsed: 5 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\acrep6.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{fe4c2c37-edc8-4c00-b864-3c38cf3ba834} (Adware.Adshot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wnxmal (Rogue.SecuritySuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rfanure (Trojan.Hiloti) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{32f51a8e-7b0b-b04d-3c24-dd217e872b21} (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\acrep6.dll (Trojan.Hiloti) -> Delete on reboot.
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\loobr.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dave\Local Settings\Application Data\Windows Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dave\Application Data\Zuyvon\foynr.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.






SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/02/2010 at 03:10 PM

Application Version : 4.41.1000

Core Rules Database Version : 5447
Trace Rules Database Version: 3259

Scan type : Quick Scan
Total Scan Time : 00:03:56

Memory items scanned : 452
Memory threats detected : 1
Registry items scanned : 1512
Registry threats detected : 0
File items scanned : 3935
File threats detected : 9

Trojan.Agent/Gen-AdPop
C:\WINDOWS\ALUJOMURARANA.DLL
C:\WINDOWS\ALUJOMURARANA.DLL

Adware.Tracking Cookie
.atdmt.com [ C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.imrworldwide.com [ C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.imrworldwide.com [ C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.doubleclick.net [ C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.lfstmedia.com [ C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.lfstmedia.com [ C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.lfstmedia.com [ C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:07 PM

Posted 03 September 2010 - 11:50 AM

Can you now perform full scans of each?

#5 DixieDiva

DixieDiva
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 03 September 2010 - 01:52 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4535

Windows 5.1.2600 Service Pack 3, v.3264
Internet Explorer 8.0.6001.18702

9/3/2010 12:52:48 PM
mbam-log-2010-09-03 (12-52-48).txt

Scan type: Full scan (C:\|)
Objects scanned: 191575
Time elapsed: 22 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\AI RoboForm\rf6lic.exe (RiskWare.Tool.CK) -> No action taken.
C:\Documents and Settings\Dave\My Documents\Downloads\AI Roboform Pro 6.9.87\license\rf6lic.exe (RiskWare.Tool.CK) -> No action taken.



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/03/2010 at 01:08 PM

Application Version : 4.41.1000

Core Rules Database Version : 5447
Trace Rules Database Version: 3259

Scan type : Complete Scan
Total Scan Time : 00:14:45

Memory items scanned : 477
Memory threats detected : 0
Registry items scanned : 6339
Registry threats detected : 0
File items scanned : 13956
File threats detected : 9

Adware.Tracking Cookie
C:\Documents and Settings\Dave\Cookies\dave@atdmt[1].txt
C:\Documents and Settings\Dave\Cookies\dave@ad.wsod[2].txt
img-cdn.mediaplex.com [ C:\Documents and Settings\Dave\Application Data\Macromedia\Flash Player\#SharedObjects\QJMQGA49 ]
.imrworldwide.com [ C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.imrworldwide.com [ C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]

Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E5C71521-19FC-41F1-BC94-581E0F258C97}\RP9\A0001249.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E5C71521-19FC-41F1-BC94-581E0F258C97}\RP9\A0001250.EXE

#6 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:07 PM

Posted 03 September 2010 - 01:55 PM

Can you now run the following: http://housecall.trendmicro.com/

#7 DixieDiva

DixieDiva
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 03 September 2010 - 02:10 PM

Posted Image

#8 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:07 PM

Posted 03 September 2010 - 02:11 PM

Do the Fix Now button, then rescan your computer with MBAM SAS and Housecall.

#9 DixieDiva

DixieDiva
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 03 September 2010 - 02:57 PM

Housecall was clean

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/03/2010 at 02:54 PM

Application Version : 4.42.1000

Core Rules Database Version : 5447
Trace Rules Database Version: 3259

Scan type : Complete Scan
Total Scan Time : 00:33:04

Memory items scanned : 475
Memory threats detected : 0
Registry items scanned : 6343
Registry threats detected : 0
File items scanned : 14024
File threats detected : 1

Adware.Tracking Cookie
media1.break.com [ C:\Documents and Settings\Dave\Application Data\Macromedia\Flash Player\#SharedObjects\QJMQGA49 ]




Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4537

Windows 5.1.2600 Service Pack 3, v.3264
Internet Explorer 8.0.6001.18702

9/3/2010 2:56:57 PM
mbam-log-2010-09-03 (14-56-57).txt

Scan type: Full scan (C:\|)
Objects scanned: 192118
Time elapsed: 39 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Dave\My Documents\Downloads\AI Roboform Pro 6.9.87\license\rf6lic.exe (RiskWare.Tool.CK) -> No action taken.
C:\System Volume Information\_restore{E5C71521-19FC-41F1-BC94-581E0F258C97}\RP10\A0003400.exe (RiskWare.Tool.CK) -> No action taken.

#10 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:07 PM

Posted 03 September 2010 - 03:00 PM

Is Roboform a paid for copy or is it downloaded illegally?

#11 DixieDiva

DixieDiva
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 03 September 2010 - 03:03 PM

Downloaded from the Roboform site. Should I remove and reinstall?

#12 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:07 PM

Posted 03 September 2010 - 03:04 PM

I would remove it and then reinstall it.

#13 DixieDiva

DixieDiva
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 05 September 2010 - 04:39 PM

Thanks so much for your help!

#14 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:07 PM

Posted 06 September 2010 - 05:36 AM

Still getting the redirects?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users