Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirect and always asks "open with"


  • Please log in to reply
11 replies to this topic

#1 jej78

jej78

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 06 July 2011 - 09:06 PM

I think I have two problems and not sure if they are related, but the combination has made my computer unworkable.

First came the google redirect problem. I have been afraid to try to address it without being walked through the correction steps.

On the last start up, avg detected a threat. Chose to neutralize it. After another restart, avg and intel proset wireless utility were no longer in the icon tray as before. Tried to open both of those from the start menu, and with each the "open with which program" dialog box popped up. Tried with a few other programs (i.e. firefox and explorer) and got the same results. I browsed through and found the program file for firefox so I could open it to get online to solve this problem. Once I clicked on it though the "open with" box, was almost like firefox did a short reinstall.

Currently running a malwarebytes scan to see what that turns up.

O/S is windows xp and normal antivirus is avg free 2011.

Thanks in advance for the help.

BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:12:26 PM

Posted 09 July 2011 - 03:04 PM

:welcome: to BleepingComputer. Sorry for the delay! My name is Jason and I'll be helping you. You can call me by my screename jntkwx or Jason is fine.

If you have any questions following these steps, feel free to ask for clarification (or if you cannot complete a step.)

:step1: Download Security Check by screen317 from here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

:step2: Let's try rebooting into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu with several options. Press the down arrow key on your keyboard until Safe Mode with Networking is selected. Press Enter. Please see here for additional details.

:step3: Once in Safe Mode with Networking, download Rkill

Run Rkill (renamed iExplore.exe).

Please be patient while Rkill looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If it appears like Rkill did not stop the malware from running, please try running RKill again until the malware is no longer running.

If you are unable to download rkill from the main download, try these alternate download locations:

1. http://download.bleepingcomputer.com/grinler/rkill.com
2. http://download.bleepingcomputer.com/grinler/rkill.pif
3. http://download.bleepingcomputer.com/grinler/rkill.scr
4. http://download.bleepingcomputer.com/grinler/eXplorer.exe
5. http://download.bleepingcomputer.com/grinler/iExplore.exe
6. http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe
7. http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe
8. http://www.boredomsoft.org/hosted/rkill.exe
9. http://www.boredomsoft.org/hosted/rkill.com
10. http://www.boredomsoft.org/hosted/rkill.scr
11. http://www.boredomsoft.org/hosted/eXplorer.exe
12. http://www.boredomsoft.org/hosted/iExplore.exe


Do not reboot your computer after running RKill as the malware programs will start again!

:step4: Still in Safe Mode with Networking, Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware


:step5: As this infection is known to be bundled with the TDSS rootkit infection, you should also run a program that can be used to scan for this infection. Please follow the steps in the following guide:

How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller

If after running TDSSKiller, you are still unable to update Malwarebytes' Anti-malware or continue to have Google search result redirects, then you should post a virus removal request using the steps in the following topic rather than continuing with this guide:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help Topic


:step6: Reboot into Normal mode. Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE (copy and paste that website address) and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

In your next reply, please include:
  • SecurityCheck's checkup.txt file
  • Malwarebytes' log file
  • SUPERantispyware log file
  • How's the computer running now? Please include a detailed description of anything out of the ordinary.

Edited by jntkwx, 09 July 2011 - 03:06 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 jej78

jej78
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 10 July 2011 - 08:15 PM

Thanks for the step-by-step guide you posted.

Contents of the Security Check outcome:

Results of screen317's Security Check version 0.99.17
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
AVG 2011
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 16
Java 2 Runtime Environment, SE v1.4.2_03
Out of date Java installed!
Adobe Flash Player 10.3.181.22
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````


Going to start on step 2.

Edited by jej78, 10 July 2011 - 08:18 PM.


#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:12:26 PM

Posted 10 July 2011 - 08:27 PM

:thumbup2: Looking good so far. When you get to step 4, since you already have Malwarebytes installed, don't reinstall it (as instructed in step 4), just open Malwarebytes, click on the Update tab, and click the Check for Updates button.

Then, click on the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 jej78

jej78
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 10 July 2011 - 08:47 PM

MBAM scan results safe mode just now:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7068

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

7/10/2011 9:38:26 PM
mbam-log-2011-07-10 (21-38-26).txt

Scan type: Quick scan
Objects scanned: 172901
Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I also did a full scan just a few days ago and thought it might be helpful include that log as well - follows:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7037

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/6/2011 10:42:30 PM
mbam-log-2011-07-06 (22-42-30).txt

Scan type: Full scan (C:\|)
Objects scanned: 244970
Time elapsed: 1 hour(s), 6 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\10520253\Local Settings\Application Data\ymb.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\10520253\Local Settings\Application Data\ymb.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\10520253\Local Settings\Application Data\ymb.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Documents and Settings\10520253\Local Settings\Application Data\ymb.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\10520253\local settings\Temp\jar_cache2747347141382277857.tmp (Trojan.FakeAlert.VGen) -> Quarantined and deleted successfully.
c:\documents and settings\10520253\local settings\Temp\jar_cache9183560490201290070.tmp (Trojan.FakeAlert.VGen) -> Quarantined and deleted successfully.

Moving on to next step now.

#6 jej78

jej78
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 11 July 2011 - 12:04 AM

SAS log. Will let you know if redirect issue persists.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/11/2011 at 00:16 AM

Application Version : 4.52.1000

Core Rules Database Version : 7392
Trace Rules Database Version: 5204

Scan type : Complete Scan
Total Scan Time : 02:06:11

Memory items scanned : 565
Memory threats detected : 0
Registry items scanned : 7247
Registry threats detected : 0
File items scanned : 85911
File threats detected : 39

Adware.Tracking Cookie
C:\Documents and Settings\10520253\Cookies\10520253@atdmt[1].txt
C:\Documents and Settings\10520253\Cookies\10520253@burstnet[1].txt
C:\Documents and Settings\10520253\Cookies\10520253@revsci[1].txt
C:\Documents and Settings\10520253\Cookies\10520253@media6degrees[2].txt
C:\Documents and Settings\10520253\Cookies\10520253@apmebf[2].txt
C:\Documents and Settings\10520253\Cookies\10520253@adbrite[1].txt
C:\Documents and Settings\10520253\Cookies\10520253@2o7[2].txt
C:\Documents and Settings\10520253\Cookies\10520253@ads.undertone[1].txt
C:\Documents and Settings\10520253\Cookies\10520253@statcounter[1].txt
C:\Documents and Settings\10520253\Cookies\10520253@atwola[2].txt
C:\Documents and Settings\10520253\Cookies\10520253@invitemedia[1].txt
C:\Documents and Settings\10520253\Cookies\10520253@imrworldwide[2].txt
C:\Documents and Settings\10520253\Cookies\10520253@ar.atwola[2].txt
C:\Documents and Settings\10520253\Cookies\10520253@doubleclick[1].txt
C:\Documents and Settings\10520253\Cookies\10520253@advertising[1].txt
C:\Documents and Settings\10520253\Cookies\10520253@interclick[1].txt
C:\Documents and Settings\10520253\Cookies\10520253@collective-media[2].txt
C:\Documents and Settings\10520253\Cookies\10520253@at.atwola[1].txt
C:\Documents and Settings\10520253\Cookies\10520253@tacoda.at.atwola[2].txt
C:\Documents and Settings\10520253\Cookies\10520253@specificclick[1].txt
C:\Documents and Settings\10520253\Cookies\10520253@mediaplex[2].txt
C:\Documents and Settings\10520253\Cookies\10520253@ad.yieldmanager[1].txt
C:\Documents and Settings\10520253\Cookies\10520253@trafficmp[2].txt
C:\Documents and Settings\10520253\Cookies\10520253@ad.yieldmanager[2].txt
C:\Documents and Settings\10520253\Cookies\10520253@ru4[1].txt
C:\Documents and Settings\10520253\Cookies\10520253@zedo[2].txt
C:\Documents and Settings\10520253\Cookies\10520253@r1-ads.ace.advertising[2].txt
C:\Documents and Settings\10520253\Cookies\10520253@casalemedia[2].txt
C:\Documents and Settings\10520253\Cookies\10520253@insightexpressai[1].txt
C:\Documents and Settings\10520253\Cookies\10520253@www.burstnet[2].txt
C:\Documents and Settings\10520253\Cookies\10520253@media.adfrontiers[1].txt
C:\Documents and Settings\10520253\Cookies\10520253@questionmarket[2].txt
C:\Documents and Settings\10520253\Cookies\10520253@ar.atwola[3].txt
C:\Documents and Settings\10520253\Cookies\10520253@fastclick[1].txt
media.scanscout.com [ C:\Documents and Settings\10520253\Application Data\Macromedia\Flash Player\#SharedObjects\WKWFR6EP ]
mediacast.realgravity.com [ C:\Documents and Settings\10520253\Application Data\Macromedia\Flash Player\#SharedObjects\WKWFR6EP ]
s0.2mdn.net [ C:\Documents and Settings\10520253\Application Data\Macromedia\Flash Player\#SharedObjects\WKWFR6EP ]
secure-us.imrworldwide.com [ C:\Documents and Settings\10520253\Application Data\Macromedia\Flash Player\#SharedObjects\WKWFR6EP ]
spe.atdmt.com [ C:\Documents and Settings\10520253\Application Data\Macromedia\Flash Player\#SharedObjects\WKWFR6EP ]

#7 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:12:26 PM

Posted 11 July 2011 - 10:27 AM

Hi jej78,

:step1: Let's rerun Malwarebytes' in Normal Mode (not Safe Mode).

Open Malwarebytes, click on the Update tab, and click the Check for Updates button.
Then, click on the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware

:step2: I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

:step3: Your version of Java is out of date.

Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u26-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

:step4: Your version of Adobe Flash Player is out of date.

Please go here: http://filehippo.com/download_flashplayer/

Download and install both versions, Flash Player 10.3.181.34 (IE) and Flash Player 10.3.181.34 (Non-IE).


To recap, please include in your next reply:
  • Latest Malwarebytes' log
  • ESET log
  • When you ran TDSSKiller, did it find anything and did you allow it to cure it?
  • How's your computer running now? Please describe in detail anything out of the ordinary.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#8 jej78

jej78
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 11 July 2011 - 09:41 PM

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7082

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/11/2011 7:27:35 PM
mbam-log-2011-07-11 (19-27-35).txt

Scan type: Quick scan
Objects scanned: 174538
Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESET:
C:\Documents and Settings\10520253\Application Data\Sun\Java\Deployment\cache\6.0\30\5078275e-19ad6a59 Java/Agent.CS trojan deleted - quarantined
C:\Documents and Settings\10520253\Local Settings\Temp\jar_cache4843207799336066258.tmp Java/Agent.CR trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\57\648153b9-7d55a2f1 multiple threats deleted - quarantined
C:\WINDOWS\system32\12543.js JS/TrojanDownloader.Agent.NWG trojan cleaned by deleting - quarantined

#9 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:12:26 PM

Posted 11 July 2011 - 09:52 PM

Hi jej78,

Looking good. Let's update AVG and run a full system scan. It may take a while to complete. Let me know if it finds anything.

A couple questions:
  • When you ran TDSSKiller, did it find anything and did you allow it to cure it?
  • How's your computer running now? Please describe in detail anything out of the ordinary.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#10 jej78

jej78
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 11 July 2011 - 10:23 PM

I believe TDSSKiller picked up and cured something called "xe" or maybe "ex".

Just was doing some google searches and avg detected "about[1].exe" as malware and quarantined it. Other than that, running ok.

Getting ready to run the full AVG scan after update.

#11 jej78

jej78
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 12 July 2011 - 05:43 AM

AVG scan found nothing.

Still a little concerned about what it found while I was doing some google searching.

#12 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:12:26 PM

Posted 12 July 2011 - 07:59 AM

Yes, that concerns me, too.

Let's see what that file was:
  • Open AVG
  • On the Tools menu select Advanced settings.
  • Open Temporarily disable AVG protection in the tree on the left side.
  • On the right side select Temporarily disable AVG protection (we're doing this so we can find out if the file is a false positive or not, and so AVG doesn't quarantine the file while we find this out).
  • Click OK.
  • In the opened window, leave it at the default of 10 minutes, for how long the protection will be disabled. All parts will be automatically enabled after the selected time.
  • Click Disable real-time protection.
  • Back at the main AVG window, click on History (at the top of the window)
  • Click on Virus Vault
  • Find the "about[1].exe" file (it should be at the top of the list, unless AVG has found other items between when you posted and when you're looking at the Virus Vault), and select (highlight) it.
  • Click the "Restore As" button, and select your desktop.
  • Please make sure that you can view all hidden files. Instructions on how to do this can be found here: How to see hidden files in Windows
  • Go to Virustotal: http://www.virustotal.com/
  • Click the choose file button and navigate to your desktop to select the about[1].exe file, then click Send File. You will only be able to have one file scanned at a time.
  • Copy and paste the website address (URL) of the scan results page in your next reply.

Edited by jntkwx, 12 July 2011 - 08:08 AM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users