Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Searches Being Redirected


  • This topic is locked This topic is locked
9 replies to this topic

#1 RedneckChamp

RedneckChamp

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 04 March 2011 - 01:41 AM

I received a Malware program tonight from a mp3 download. The fake security software popped up and I immediately shut down its process tree. After doing so I used Malwarebytes and removed the fraudulent files. Then ran a scan from Avast and the search came up empty. So I'm assuming that my system is clean but these hackers always mess with your IP's, proxy, DNS, etc. Can someone look at my HiJackThis report and tell me what to do to fix it? I can surf the net with direct thinks, etc, but can't do Google searches now.

BTW, I only use Firefox for a internet browser, so I believe these Internet Explorer files could be the problem but I honestly have no clue. I also just attached the log to this post in case that helps.
Thanks for the help in advance!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,067 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:40 PM

Posted 04 March 2011 - 08:13 AM

Can someone look at my HiJackThis report and tell me what to do to fix it?

HijackThis logs are not permitted in this forum. Further, HijackThis only scans certain areas of a computer's system/registry to help diagnose the presence of undetected malware in known hiding places. Therefore, it is limited in its ability to detect infection and generate a report outside these known hiding places and its log may not always reveal all the malware on a computer. As such, HijackThis has been replaced by other preferred tools like DDS, OTL and RSIT that provide comprehensive logs with specific details about more areas of a computer's system, files, folders and registry keys which may have been modified by malware infection.

The Malware Response Team members are all volunteers who contribute to helping members as time permits but currently there is a backup and you may have to wait for assistance. Referrals are made to the Virus, Trojan, Spyware, and Malware Removal Logs forum if we cannot assist you here and we need to use more powerful tools or you don't mind waiting.

If you do not mind waiting and want someone to check your system thoroughly, then please follow the directions in the the "Preparation Guide". If you cannot complete a step, then skip it and continue with the next. In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log. Start a new topic, give it a relevant title and post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts.

If you want to try disinfection in this forum first, continue as follows:


Please post the results of your last MBAM scan for review (even if nothing was found).

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
  • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
    -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Logs are saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd



Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!
Be sure to print out and follow all instructions for performing a scan or refer to these instructions with screenshots.

  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop. Vista/Windows 7 users refer to these instructions if you're unsure how to unzip a file.
  • If you don't have an extracting program, you can download TDSSKiller.exe and use that instead.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.

    Posted Image
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • Any objects found, will show in the Scan results - Select action for found objects and offer three options.
  • If an infected file is detected, the default action will be Cure...do not change it.

    Posted Image
  • Click Continue > Reboot now to finish the cleaning process.<- Important!!

    Posted Image
  • If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 RedneckChamp

RedneckChamp
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 04 March 2011 - 10:12 AM

Thanks for the Reply. Sorry about the wrong location. I thought this was the right place. Anyways, I used Avast Internet Security after I tried RKill to make sure nothing was running(and there wasn't) and it found around 5 more that had been left over from what Malwarebytes had not taken care of. It removed them all except one.

MBAM's Report:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5948

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

3/4/2011 12:53:18 AM
mbam-log-2011-03-04 (00-53-18).txt

Scan type: Full scan (C:\|G:\|)
Objects scanned: 300451
Time elapsed: 31 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\LKGGOPABUH (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mdnkso81qq2 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LKGGOPABUH (Trojan.FakeAlert) -> Value: LKGGOPABUH -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Todd\AppData\Local\Mozilla\Firefox\Profiles\3txtosxv.default\Cache\de8e6a1cd01 (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\Todd\AppData\Local\Mozilla\Firefox\Profiles\3txtosxv.default\Cache\7121c773d01 (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\Todd\AppData\Local\Temp\1.4420882991307685e8.exe (Rogue.Agent) -> Quarantined and deleted successfully.
c:\Users\Todd\AppData\Local\Temp\Uq0.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
c:\Users\Todd\AppData\Local\Temp\Uqv.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
c:\Users\Todd\AppData\Local\Temp\Uqw.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
c:\Users\Todd\AppData\Local\Temp\Uqx.exe (Trojan.FraudPack.Gen) -> Delete on reboot.
c:\Users\Todd\AppData\Local\Temp\Uqy.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
c:\Users\Todd\AppData\Local\Temp\Uqz.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
c:\Users\Todd\AppData\Local\Temp\grfbfubng\qhhcwvphmof.exe (Rogue.Agent) -> Quarantined and deleted successfully.
c:\Users\Todd\downloads\Keygen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
c:\Windows\Usolia.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
c:\Windows\Usolib.exe (Trojan.FraudPack.Gen) -> Delete on reboot.
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

I believe I may have fixed it though. I installed a Addon for Firefox that is called FoxyProxy and once I made it override the explorers current proxy I can now click on search results and actually go to that link now. If you would like, I could post the Avast Log on here as well. Just don't want to post something again that is not allowed.

Thanks again!

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,067 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:40 PM

Posted 04 March 2011 - 10:19 AM

Your Malwarebytes Anti-Malware log indicates some files will be deleted on reboot. If MBAM encounters a file that is difficult to remove, you need to restart the computer so the malware can be fully removed. Failure to reboot normally will prevent Malwarebytes' from removing all the malware. If you have not rebooted, make sure you do this. When done, rescan again with MBAM (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning. Then click the Logs tab and copy/paste the contents of the new report in your next reply. If you did reboot, then rescan again anyway and post a new log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 RedneckChamp

RedneckChamp
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 04 March 2011 - 10:35 AM

Yes I did reboot, and then ran an Avast Boot Time Scan, which removed a couple things as well.

MBAM Quick Scan Like Requested:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5951

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

3/4/2011 10:28:15 AM
mbam-log-2011-03-04 (10-28-15).txt

Scan type: Quick scan
Objects scanned: 147733
Time elapsed: 2 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


This was the only thing I had to delete Manually.

Location= ProgramData\ReviverSoft\RegistryReviver.msi......#'s and letters here.
Status=PUP:Win32.SlowPCFighter[PUP]


Maybe this will take care of it, I don't know.

#6 RedneckChamp

RedneckChamp
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 04 March 2011 - 10:43 AM

I take that back, I just performed a Google search and it redirected me again. I downloaded and followed your instructions for the TDSS Killer and it only found one "suspicious" locked file. The file is "sptd" or something along those lines. I use Daemon Tools so I believe that deals with that.

Should I just try re-installing Firefox?
Oh, I forgot to mention before, ever since this happened I can not turn back on Windows Security. WIN7 OS btw.

Edited by RedneckChamp, 04 March 2011 - 11:47 AM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,067 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:40 PM

Posted 04 March 2011 - 12:21 PM

If none of the tools you have used thus far are finding any malicious files or not successful at removal, this issue will require further investigation. Many of the tools we use in this forum are not capable of detecting (repairing/removing) all malware variants so more advanced tools are needed to investigate. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the Malware Response Team.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 RedneckChamp

RedneckChamp
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 04 March 2011 - 12:29 PM

Already a head of yeah, lol! Thanks for the post back and once GMER is complete I will post its log and the DDS log in the forums you requested. Thanks again quietman7!

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,067 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:40 PM

Posted 04 March 2011 - 12:35 PM

You're welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,109 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:40 PM

Posted 04 March 2011 - 11:39 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic383062.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users