Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed XP Home security now reinfected and google redirect


  • This topic is locked This topic is locked
8 replies to this topic

#1 cakegirl

cakegirl

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 17 June 2011 - 08:35 AM

Hi,

I had help removing XP Home Security 2012 from my laptop yesterday. Forum link to my logs-My link

I used FIXNCR, then RKill, Malwarebyes scan removed items, followed by another full scan of SuperAntiSpyware. My computer was running well with no popups but was getting redirected on google searches. Last night XP Home Security popped up again! Now, my desktop (which was NOT my infected computer) is now getting the same google redirects.

I am now going through the same removal guide as I did yesterday- but it seemed to not remove the problem or i was instantly reinfected.
Any help would be very welcome!

BC AdBot (Login to Remove)

 


#2 computerman1015

computerman1015

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 17 June 2011 - 09:12 AM

Let me see if I can help. If you could, please provide me with your primary antivirus program. If you have multiple installed on your system, please include them (ie. MBAM, Trend Micro, Norton 360, etc).

#3 computerman1015

computerman1015

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 17 June 2011 - 09:21 AM

Actually, scratch that. I apologize for double posting, but I'd like you check something.

Did you follow these steps in removing XP Home Security? Failure to have done so may have resulted in your inability to properly remove the entire malware program. If you have followed these steps, please tell me so we can move on from there. If not, please also tell me so I can break it up bits and pieces and ensure your google redirect virus will go away.

Edited by computerman1015, 17 June 2011 - 09:21 AM.


#4 cakegirl

cakegirl
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 17 June 2011 - 09:27 AM

I'm posting my log from Malwarebytes this morning. After my computer rebooted in regular mode, I was met with an error box:
RUNDLL
Error loading C:\windows\system32\wuaucpln.dll

Which followed by a blue screen. Rebooted in safe mode right now to post the log.

I followed this guide exactly in removing it yesterday:
http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6876

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

6/17/2011 9:48:22 AM
mbam-log-2011-06-17 (09-48-22).txt

Scan type: Full scan (C:\|)
Objects scanned: 249627
Time elapsed: 1 hour(s), 26 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3688953428 (Trojan.ExeShell.Gen) -> Value: 3688953428 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cleanddm (Trojan.Qhost.CD) -> Value: cleanddm -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Windows\local settings\application data\jum.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Windows\application data\Adobe\plugs\mmc4419718.txt (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\Windows\application data\Sun\Java\deployment\cache\6.0\2\1cf99542-6b9f62e3 (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Windows\local settings\Temp\0.866153430782901.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Windows\local settings\Temp\9b88.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Windows\local settings\temporary internet files\Content.IE5\8C5KYCLO\windows-update-sp4-kb64228-setup[1].exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\Windows\local settings\temporary internet files\Content.IE5\FYIQY82F\setup[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Windows\local settings\temporary internet files\Content.IE5\FYIQY82F\windows-update-sp4-kb99812-setup[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Windows\local settings\temporary internet files\Content.IE5\PJMWCYFX\setup[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{99405003-f8db-4ba4-8748-d38cb8549ff1}\RP1\A0001012.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{99405003-f8db-4ba4-8748-d38cb8549ff1}\RP1\A0001013.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Windows\application data\Adobe\shed\thr1.chm (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\Windows\application data\Adobe\plugs\mmc73.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

#5 cakegirl

cakegirl
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 17 June 2011 - 09:29 AM

Also, I forgot to add, I use AVG 9.0 on this laptop.

#6 computerman1015

computerman1015

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 17 June 2011 - 09:40 AM

I'm going to ask you a couple more questions, just to get a basis on how to diagnose this problem:

1.) When you followed the steps yesterday, how did your computer react?
2.) Did your computer happen to show some sign of "crashing" so to speak before beginning these directings?
3.) Would you happen to be running on a wireless or wired internet network?

#7 cakegirl

cakegirl
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 17 June 2011 - 12:35 PM

1. My computer seemed to react well. Was able to do all the steps with no problems and it seemed great- I used it it normal mode with no issues.... until about an hr or 2 of use, when I started getting the google redirects. As I was attmepting to figure out the problem from that, I began getting the XP Security 2012 popups again. I was doing lots of google searches during this time (house AND car shopping) to give you an idea of sites I visted.

2. The only signs I had was that my computer was still running a little slower than it has been in the past- and the google redirects.

3. I was on a secured wireless network for my laptop- however today I am getting the same re-directs on my desktop (which I used to dowload and transfer all the files yesterday to my laptop.)

#8 computerman1015

computerman1015

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 17 June 2011 - 05:17 PM

Reset Your Router

I want you to reset your router to default settings. Usually, on the modem, there should be a small button you can access with a pin which will restart your router. I want you to do that for me, and then tell me if the problem persists. If it does:

1). Can you run .exe files?

#9 cakegirl

cakegirl
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 17 June 2011 - 11:30 PM

wwww.pietroy.in is something that keeps trying to install everytime I am redirected. Windows blocks it and asks my permission to install.

Yes, I reset my router, Home Security 2012 seems to be gone, but something is still infecting me and redirecting on every search engine.. even within different websites.
And yes, I can run exe files.
Malwarebyes shows 0 and Superantispyware also shows nothing.

I updated JAVA tonight as well as deleted all old adobe programs- and reintalled the new versions. Have no idea what else to do.

Edited by cakegirl, 17 June 2011 - 11:31 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users