Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Google Redirect Problem


  • This topic is locked This topic is locked
25 replies to this topic

#16 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:17 AM

Posted 15 November 2010 - 09:27 AM

Hi,

please use Eset instead:
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


BC AdBot (Login to Remove)

 


#17 kdkiehn

kdkiehn
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 15 November 2010 - 09:31 PM

myrti,

Here is the ESET log:

C:\Qoobox\Quarantine\C\autorun.inf.vir Win32/AutoRun.Agent.BE worm cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Windows\explorer.exe.vir Win32/Bamital.EL trojan deleted - quarantined

C:\Qoobox\Quarantine\C\Windows\System32\awttrSIY.dll.vir a variant of Win32/Adware.Virtumonde.NDB application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Windows\System32\gbftmvwj.dll.vir a variant of Win32/Adware.Virtumonde.NDB application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Windows\System32\ljJYRHBQ.dll.vir Win32/Adware.Virtumonde application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Windows\System32\QBHRYJjl.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Windows\System32\QBHRYJjl.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Windows\System32\tuvWmJyx.dll.vir a variant of Win32/Adware.Virtumonde.NDB application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Windows\System32\wininit.exe.vir Win32/Bamital.EL trojan deleted - quarantined

C:\Users\Kacey\AppData\Local\yyrmsgmqp\bytolchtssd.exe Win32/Adware.SpywareProtect2009 application cleaned by deleting - quarantined

C:\Users\Kacey\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\7640a24b-2cd1448e multiple threats deleted - quarantined

C:\Users\Kacey\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\6f530d9b-43bb95c3 OSX/Exploit.Smid.B trojan deleted - quarantined

C:\Users\Kacey\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\4c871c68-2d9e9ca2 multiple threats deleted - quarantined

C:\Users\Kacey\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\1c30ac74-26164609 multiple threats deleted - quarantined

C:\Users\Kacey\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\21dbbb5-21d8430d Java/TrojanDownloader.Agent.NBU trojan deleted - quarantined

C:\Users\Kacey\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\53d361fc-5026ddda multiple threats deleted - quarantined

C:\Users\Kacey\Downloaded Programs\XPMedic_Setup.exe Win32/Adware.XPMedic application deleted - quarantined

C:\Users\Kacey\Downloaded Programs\XPMedic_Setup.zip Win32/Adware.XPMedic application deleted - quarantined

C:\Users\Public\Documents\Server\hlp.dat Win32/Bamital.EQ trojan cleaned by deleting - quarantined

C:\Windows\explorer.bad Win32/Bamital.EQ trojan deleted - quarantined

C:\Windows\System32\wininit.bad Win32/Bamital.EQ trojan deleted - quarantined


Thanks,
Kacey

#18 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:17 AM

Posted 16 November 2010 - 02:23 AM

Hi,

please delete this folder: C:\Users\Kacey\AppData\Local\yyrmsgmqp

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version 9.3. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • Once the installation is finished, open Adobe Reader and accept the warranty if prompted.
  • Click on Help and select Check for Updates.
  • A window will open and Adobe will check for Updates. If any updates are found to be available click on Download.
  • Once the update is downloaded you will get a system notification telling you so. Click on the popup to restore the window.
  • In the window that opens click Install.
  • Once the update is done click Close.
Your Adobe Reader is now up to date!Please update your Adobe Reader:

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 22 (JDK or JRE)"
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

regrads myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#19 kdkiehn

kdkiehn
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 16 November 2010 - 09:43 AM

Hi myrti,

Adobe and Java have been updated.

While deleting the specified folder, I noticed a large number of folders in the "...AppData\Local" folder that are very randomly named, with 9 characters. Some of the folders contain nothing, while others contain a single .exe file that is seemingly randomly named as well. The strange folders were all created 10/25/10 and the files within them all say they were created on 4/11/10.
Malicious?

Thanks,
Kacey

#20 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:17 AM

Posted 16 November 2010 - 10:27 AM

Hi,

can you give me a list of those folders? Chances are that they are malicious yes. I am not seeing them in the logs, but then again, not all can be shown.

Can you upload one of those files to virustotal.com and let me know what the results are?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#21 kdkiehn

kdkiehn
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 16 November 2010 - 02:49 PM

myrti,

Here is a list of the files and folders in my "...AppData\Local" folder:

Volume in drive C is OS
Volume Serial Number is 6EDB-0B0A

Directory of C:\Users\Kacey\AppData\Local

11/16/10 05:57 AM <DIR> .
11/16/10 05:57 AM <DIR> ..
11/16/10 05:57 AM <DIR> Adobe
10/25/10 05:29 PM <DIR> aoqflplbq
06/09/08 04:40 PM <DIR> Apple
03/19/09 05:58 PM <DIR> Apple Computer
07/08/09 05:31 PM <DIR> Apps
10/25/10 05:29 PM <DIR> bfnpitaca
10/25/10 05:29 PM <DIR> bicxnvhkc
10/25/10 05:29 PM <DIR> blbjkphaq
11/05/08 09:58 PM 680 d3d9caps.dat
11/12/10 04:29 PM 115,200 DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
07/08/09 05:31 PM <DIR> Deployment
11/11/10 09:30 PM <DIR> Downloaded Installations
10/25/10 05:29 PM <DIR> dvhxneuso
10/25/10 05:29 PM <DIR> dxfjkxuid
10/25/10 05:29 PM <DIR> egoamqeek
01/25/10 06:30 AM 0 Ewobofivutamux.bin
10/25/10 05:29 PM <DIR> fdyelradk
10/25/10 05:29 PM <DIR> fjnmjkety
11/14/10 08:58 PM <DIR> FLVService
10/25/10 05:29 PM <DIR> foaflglrp
10/25/10 05:29 PM <DIR> fwmljvsft
10/25/10 08:23 PM <DIR> gakwgpsui
08/15/10 05:20 PM 135,128 GDIPFONTCACHEV1.DAT
10/24/10 11:07 AM <DIR> Google
10/25/10 08:23 PM <DIR> gstbmyrmw
10/25/10 05:29 PM <DIR> hfggdfvin
10/25/10 08:23 PM <DIR> hkqljefng
07/12/10 05:13 AM 36 housecall.guid.cache
10/25/08 10:50 AM <DIR> HP
10/25/10 05:29 PM <DIR> hpeelamlw
10/25/10 05:29 PM <DIR> imnikailw
10/25/10 08:23 PM <DIR> impwgxfdu
08/09/08 11:11 PM <DIR> Installer2748
08/09/08 11:19 PM <DIR> Installer5544
10/25/10 05:29 PM <DIR> ixpjkptac
01/25/10 11:11 AM 120 Jfuwipokidupap.dat
10/25/10 05:29 PM <DIR> kffcmecra
10/25/10 05:29 PM <DIR> kfhqicajx
10/25/10 05:29 PM <DIR> kkrvoajpp
10/25/10 08:23 PM <DIR> kvtwnoveu
05/06/08 03:34 PM <DIR> MediaDirect
10/25/10 05:29 PM <DIR> menrhyxgo
10/25/10 05:29 PM <DIR> mepgdwvym
03/29/10 04:38 PM <DIR> Microsoft
05/11/08 05:32 PM <DIR> Microsoft Games
05/06/08 05:05 PM <DIR> Microsoft Help
11/22/08 01:29 PM <DIR> MigWiz
10/25/10 08:23 PM <DIR> mjbljufef
10/25/10 08:23 PM <DIR> mrmqikmsj
10/25/10 05:29 PM <DIR> mxykjgtqa
10/25/10 08:23 PM <DIR> nlwikricv
10/25/10 05:29 PM <DIR> oihmjrebv
10/25/10 05:29 PM <DIR> pfqqisybv
10/25/10 08:23 PM <DIR> phnoipcxm
10/25/10 05:29 PM <DIR> pkcvorjgo
10/25/10 05:29 PM <DIR> pkekjogym
10/25/10 08:23 PM <DIR> psppienmr
10/25/10 08:23 PM <DIR> qglamrfgo
10/25/10 08:23 PM <DIR> qmysonmef
10/25/10 05:29 PM <DIR> qvmmjaqji
01/02/10 08:50 AM <DIR> Real
10/25/10 05:29 PM <DIR> rgtpimbud
10/25/10 05:29 PM <DIR> rmjxgfflr
10/25/10 05:29 PM <DIR> rxikjwthy
10/25/10 05:29 PM <DIR> safhktwep
10/25/10 08:23 PM <DIR> shoynlgav
10/25/10 05:29 PM <DIR> siqmjjdrt
10/25/10 05:29 PM <DIR> sogugciii
09/06/08 02:20 PM <DIR> Sony Ericsson
10/25/10 05:29 PM <DIR> sregdvixw
10/25/10 05:29 PM <DIR> stqamarob
05/08/08 05:15 AM <DIR> SupportSoft
10/25/10 08:23 PM <DIR> sydtovymr
11/16/10 11:38 AM <DIR> Temp
10/25/10 05:29 PM <DIR> tknkjfgpk
10/25/10 08:23 PM <DIR> twpljtrep
10/25/10 05:29 PM <DIR> tymjkqubg
10/25/10 05:29 PM <DIR> ubigknxyw
05/06/08 04:13 PM <DIR> VirtualStore
10/25/10 05:29 PM <DIR> vrfqhrmag
10/25/10 05:29 PM <DIR> vxuyflqpu
10/25/10 05:29 PM <DIR> wopugshyh
10/25/10 05:29 PM <DIR> wtcoiooww
10/25/10 05:29 PM <DIR> wwqvnqvgy
07/08/09 06:08 PM <DIR> Xenocode
10/25/10 05:29 PM <DIR> xkwkjvggj
10/25/10 05:29 PM <DIR> xqohdmhov
10/25/10 05:29 PM <DIR> xvwxnnucp
10/25/10 05:29 PM <DIR> yyxxgfrkc
6 File(s) 251,164 bytes
85 Dir(s) 82,623,537,152 bytes free

VirusTotal scan for one of the .exe files. (bfnpitaca\hfmiihctssd.exe)


AhnLab-V3 2010.11.16.00 2010.11.15 -
AntiVir 7.10.14.12 2010.11.16 TR/Trash.Gen
Antiy-AVL 2.0.3.7 2010.11.16 -
Avast 4.8.1351.0 2010.11.16 Win32:VB-OXF
Avast5 5.0.594.0 2010.11.16 Win32:VB-OXF
AVG 9.0.0.851 2010.11.16 -
BitDefender 7.2 2010.11.16 -
CAT-QuickHeal 11.00 2010.11.09 -
ClamAV 0.96.4.0 2010.11.16 -
Command 5.2.11.5 2010.11.16 -
Comodo 6744 2010.11.16 -
DrWeb 5.0.2.03300 2010.11.16 -
Emsisoft 5.0.0.50 2010.11.16 -
eSafe 7.0.17.0 2010.11.16 -
eTrust-Vet 36.1.7980 2010.11.16 Win32/FakeAV.CGO
F-Prot 4.6.2.117 2010.11.16 -
F-Secure 9.0.16160.0 2010.11.16 -
Fortinet 4.2.249.0 2010.11.15 -
GData 21 2010.11.16 Win32:VB-OXF
Ikarus T3.1.1.90.0 2010.11.16 -
Jiangmin 13.0.900 2010.11.16 -
K7AntiVirus 9.67.2973 2010.11.12 -
Kaspersky 7.0.0.125 2010.11.16 -
McAfee 5.400.0.1158 2010.11.16 -
McAfee-GW-Edition 2010.1C 2010.11.16 -
Microsoft 1.6301 2010.11.16 -
NOD32 5624 2010.11.16 -
Norman 6.06.10 2010.11.16 -
nProtect 2010-11-16.02 2010.11.16 -
Panda 10.0.2.7 2010.11.16 -
PCTools 7.0.3.5 2010.11.16 HeurEngine.MalPE
Prevx 3.0 2010.11.16 -
Rising 22.74.00.01 2010.11.16 -
Sophos 4.59.0 2010.11.16 Mal/Koobface-B
SUPERAntiSpyware 4.40.0.1006 2010.11.16 Trojan.Agent/Gen-Nullo[Short]
Symantec 20101.2.0.161 2010.11.16 Bloodhound.MalPE
TheHacker 6.7.0.1.085 2010.11.16 Trojan/FraudPack.apwe
TrendMicro 9.120.0.1004 2010.11.16 -
TrendMicro-HouseCall 9.120.0.1004 2010.11.16 -
VBA32 3.12.14.2 2010.11.16 -
VIPRE 7327 2010.11.16 -
ViRobot 2010.11.16.4151 2010.11.16 -
VirusBuster 12.76.2.0 2010.11.16 -


Thanks,
Kacey

#22 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:17 AM

Posted 17 November 2010 - 05:56 AM

Hi,

yeah, those should go. They are inactive and not dangerous as long as you don't decide to double click on of those files, but they needn't stay either.

I trust you know which one to remove and which ones to keep?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#23 kdkiehn

kdkiehn
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 17 November 2010 - 08:39 AM

Hi myrti,

Yep, the bad folders and files have been deleted. Any other scans I should run?

Thanks,
Kacey

#24 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:17 AM

Posted 20 November 2010 - 08:58 AM

Hi,

not unless you are experiencing any more problems. :)

I would ask you however to remove all the programs we used:
Please do the following to clean up your PC:
  • Delete the tools used during the disinfection:
  • Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      Posted Image
    • Download OTC from the following mirror and save it to your desktop:
    • Double click on Posted Image
    • Push the large "Cleanup" button.
    • Allow your system to reboot.
  • If OTC faild to remove all programs from your Desktop, please delete the rest manually.
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holeswill allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variantsevery single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.
Some more links you might find of interest:Have a nice day
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#25 kdkiehn

kdkiehn
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 22 November 2010 - 09:13 AM

Everything is clean, no more problems.

Thank you so much!

Kacey

#26 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:17 AM

Posted 22 November 2010 - 07:56 PM

Heya,

glad we could help! :thumbsup:

Since this topic appears to be resolved, I will now close it.

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users