Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hi-jacked & Redirected, Need a healer, any help appreciated


  • This topic is locked This topic is locked
7 replies to this topic

#1 raptore

raptore

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 06 October 2010 - 09:33 AM

Hi, ruffly 3-4 months ago I watched a program on Tv called First 48 & afterwards I decided to go online & get some more information, As it be I must have some how gone to a virus infected site, because My PC suddently started installing so called programs with out my permission, I had no option but to reset as every thing was jammed..Several days later I started getting the Redirect-Jump links when I was browsing, It got so annoying i decided to take the Pc to a local who updates my PC, When I recieved it I thought the problem was fixed because I was told it was fixed so i didnt think otherwise..

Well it wasn't, because after a week or so i got the Re-direct messages again, So i Took it to the same guy again & for the 2nd time i was told it was fixed, but once gain its started happening in the last few days, Ive ran out of ideas, I heard about this site from a friend & thought id drop in & see if anyone can help..

I would be in depth for ever if some 1 could help me, I would be ever so greatfull,because the situation has put me though hell..anyhow i have scanned the PC with Hijack this just now & i will upload the file to see if any 1 can solve this problem, thanks guys, appreciate any help..

I also thought id upload fixwareout reports that i got, if it might help..here they are

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 06 October 2010 - 03:52 PM.


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:03:17 PM

Posted 12 October 2010 - 12:13 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 raptore

raptore
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 14 October 2010 - 09:34 AM

Thank you for the reply, I appreciate any help, Im in a very stressful situation & would be amazing if this problem could be fixed..

The probelm remains,nothing has changed since i posted, id say 70% of the time i click on a link I get re-directed somewhere else, Ive also picked up that i get disconnected much more often then before, I never had problems with that before..

anyhow heres the files , ive attached both..thanks for your help..

Attached Files



#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:17 AM

Posted 16 October 2010 - 01:15 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



=============================================



1. Download GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Unchecked the following checkboxes:
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
  • Post the contents of that report when you reply.




2. Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 raptore

raptore
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 18 October 2010 - 01:06 PM

Thanks for the reply, Ive done as asked, scanned the PC with gmer.exe & attached the saved file ark.txt..

appreciate you help thank you

Ive just scanned my PC with Combo fix & ive just attached the log..thank you for your help


Just to inform you, soon after the combo fix scan I got a message from winpatrol (scottty) program that it had detected a program '' cryptsvc.dll '' & if i wanted to allow it , I checked online 1st to see if the file was normal & I accepted it soon afterwards, but just wanted to ask you guys if I did the right thing, because now im having doubts..

Attached Files


Edited by raptore, 18 October 2010 - 10:07 PM.


#6 raptore

raptore
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 19 October 2010 - 01:42 PM

Thanks for the reply, Ive done as asked, scanned the PC with gmer.exe & attached the saved file ark.txt..

appreciate you help thank you

Ive just scanned my PC with Combo fix & ive just attached the log..thank you for your help


Just to inform you, soon after the combo fix scan I got a message from winpatrol (scottty) program that it had detected a program '' cryptsvc.dll '' & if i wanted to allow it , I checked online 1st to see if the file was normal & I accepted it soon afterwards, but just wanted to ask you guys if I did the right thing, because now im having doubts..



For some reason after scanning with combofix my USB autoplay function has stopped, can any 1 shed some light or advise me how to fix the problem..thanks guys..appreciate your help greatly

#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:17 AM

Posted 20 October 2010 - 09:25 AM

Hi,

Please do not attach logs unless instructed.

We will address all your concerns later, but for now let's first remove all seen malwares. Did you disable Windows update/Auto update?


=================================================================


P2P Warning:

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case BitTorrent).

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."




=================================================================


1. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Quote box below into it:


DDS::
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"=-




4. Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




2. Download TDSSKiller.zip from Kaspersky and save it to your Desktop.
  • Extract the zip file to its own folder.
  • Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
  • Click Start scan to start scanning.
  • If infection is detected, the default setting for "action" is Cure (Please click on it and change it to skip).
  • Click on Report to generate a log.
  • Please post that log when you reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:17 AM

Posted 28 October 2010 - 08:39 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users