Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirection from Google, false malware removal solutions


  • This topic is locked This topic is locked
28 replies to this topic

#1 robin_jmc

robin_jmc

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 11 October 2010 - 02:57 AM

Hi, I seem to be having similar problems to many others. The most annoying being redirection from Google and other search engines. I have a McAfee Security Centre subscription which found a few trojans etc, however I'm still having problems. At one point I had a pop-up window appear from "Microsoft Essentials Security" telling me that I had viruses and needed to do a scan online. I ignored this believing it to be bogus, but it wouldn't go away. After about 12 hours it eventually disappeared.
I have screenshots and a McAfee report I can send. I know little about computers I'm sorry, so please bear with me!

BC AdBot (Login to Remove)

 


#2 robin_jmc

robin_jmc
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 18 October 2010 - 03:36 AM

I'm sorry, I really don't know much about this at all. I see that I may have missed some vital info, like showing you my running processes etc. The only problem is, I have no idea how to run this report! Can anyone help?!

#3 robin_jmc

robin_jmc
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 21 October 2010 - 04:37 AM

I can't seem to get a response from anyone - it may be due to lack of info. Problem is, I have no idea how to get that info as outlined in your instructions. I will need guidance through that too please! I.E, I have no idea whether my problem is Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Some further info...
I'm running Windows XP. When following a link in Google, I get a pop-up saying:

"The page at <linkremoved> says...
Warning! Your computer is at risk of malware attacks.
We recommend you check your system immediately. Press OK to start the process now..."

When I click OK, I end up at a site that looks like My Computer which starts "checking" my security. When it has finished checking, it brings up a list with a heap of different virus scan programs. It then starts "checking" which program can help. I usually stop it at this point so it doesn't do any further damage. I have screenshots of all of these which I can send.

Edited by bleeptest, 24 October 2010 - 10:35 AM.
removed malicious link


#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:07 AM

Posted 24 October 2010 - 11:14 AM

Have you seen the guide for removing Fake Microsoft Security Essentials ?

http://www.bleepingcomputer.com/virus-removal/remove-fake-microsoft-security-essentials-alert
Chewy

No. Try not. Do... or do not. There is no try.

#5 robin_jmc

robin_jmc
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 24 October 2010 - 01:13 PM

I hadn't seen that thanks, but that's exactly it. I haven't had that same problem again since I first posted the original question. I ran Malwarebytes a few days ago which removed 17 infected files - maybe that fixed it. I'm still having problems with redirection from Google however...

I think I picked up the malware while traveling through Asia a few months ago. I met someone there who said malware would jump onto my digital camera if I plugged it in to a PC over there. So I'm 99% sure it came from my digital camera.

#6 robin_jmc

robin_jmc
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 24 October 2010 - 01:18 PM

I'm sometimes redirected from Google to a page saying:

Reported Attack Page!
This web page at <removed> in has been reported as an attack page and has been blocked based on your security preferences.
Attack pages try to install programs that steal private information, use your computer to attack others, or damage your system.
Some attack pages intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:07 AM

Posted 24 October 2010 - 02:08 PM

Would you post that log from MBAM please along with a new one from a quick scan done after updating the program?
Chewy

No. Try not. Do... or do not. There is no try.

#8 robin_jmc

robin_jmc
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 24 October 2010 - 02:45 PM

Ok, no prob. This is from the original full scan...

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4908

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

22/10/2010 3:09:20 p.m.
mbam-log-2010-10-22 (15-09-20).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|I:\|)
Objects scanned: 382926
Time elapsed: 2 hour(s), 54 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\com+ manager (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\bk (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\idln2 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\download (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\registrymonitor2 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Robin\Local Settings\Temp\WINDOWS_SECURITY_CENTER.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robin\Local Settings\Temp\0.157174240420493.exe (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robin\Local Settings\Temp\177.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robin\Local Settings\Temp\Q311Si1_.exe.part (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robin\Application Data\asdsada.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robin\Application Data\444.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\libmmd.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\model.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:07 AM

Posted 24 October 2010 - 02:58 PM

Would you update MBAM and run a quick scan?
Chewy

No. Try not. Do... or do not. There is no try.

#10 robin_jmc

robin_jmc
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 24 October 2010 - 03:22 PM

Here's the quick scan after an update...


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4938

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

24/10/2010 10:16:57 p.m.
mbam-log-2010-10-24 (22-16-57).txt

Scan type: Quick scan
Objects scanned: 182220
Time elapsed: 28 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:07 AM

Posted 24 October 2010 - 03:29 PM

I'm sometimes redirected from Google to a page saying:


How recent has this happened? That's from the rootkit you had, we need to verify that it's gone.
Chewy

No. Try not. Do... or do not. There is no try.

#12 robin_jmc

robin_jmc
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 24 October 2010 - 03:34 PM

It last did it a few hours ago. I just tried a Google search now and got it again.

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:07 AM

Posted 24 October 2010 - 03:37 PM

We'll need to try to kill the rootkit with tdsskiller

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller
Chewy

No. Try not. Do... or do not. There is no try.

#14 robin_jmc

robin_jmc
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 24 October 2010 - 04:16 PM

Ok, I tried that. It found one "Suspicious object" which says "Locked file".
In the instructions it says to hit "Continue" once the scan is complete. At the top right corner of that window in the instructions it says "Cure". Mine says "Skip" and when I click on that it gives me the options of "Quarantine" or "Delete". I hit delete, then rebooted as I was prompted to do. The computer then wouldn't boot up and asked if I wanted to go into Safe Mode, Safe mode for Networking, Boot Windows normally or Boot Last Good Configuration. Normal Mode and Safe Mode wouldn't boot up, so I went to Boot Last Good Configuration. That worked, but the problem still exists. I just ran TDSSKiller again and got the exact same message. I did it all over again and the same thing happened.

#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:07 AM

Posted 24 October 2010 - 04:21 PM

It would have been nice if it worked but your infection has evidently "morphed" and tdsskiller can't remove it.

Hopefully we can get a trained expert on this.

Let me put out a call.

Edited by DaChew, 24 October 2010 - 04:21 PM.

Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users