Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect, cycbot.b, Java/CVE, etc


  • Please log in to reply
5 replies to this topic

#1 TCdelta

TCdelta

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 07 July 2011 - 05:39 AM

Hello! And a preemptive "thank you" for reading my problems...

I'm running Windows 7.

A short while ago, I noticed that Google links in Firefox were redirecting to incorrect sites (such as those generic search engine/ad sites). I didn't think much of it at the time and figured it was just an average irritating piece of malware that I would fix when I got a chance. Then, sure enough, I was unable to access any websites due to a proxy preventing access.

I performed a system restore to a few weeks back. Didn't help.

I ran Malware Bytes while in safe mode and was able to eventually remove "cycbot.b". I also ran Microsoft Security Essentials, which supposedly removed another trojan - named "JAVA/selace".

I am now able to access the internet, but one time I was told that I could not access any webpages because I could not make a connection to a certain IP address. The Google redirect problem also appeared to be resolved, but it came back fully after a few minutes. Plus, when I opened Windows last time, Internet Explorer automatically opened several windows without me prompting it to open at all. And now, Microsoft Security Essentials finds "Exploit:Java/CVE-2008-5353.DL" when it runs.

Thanks again, and I look forward to any suggestions!

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:43 PM

Posted 07 July 2011 - 10:37 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 TCdelta

TCdelta
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 08 July 2011 - 12:08 AM

Thanks, Broni. Here you go:

Security Check

Results of screen317's Security Check version 0.99.7
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Norton 360
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Adobe Flash Player 10.0.12.36
Adobe Reader 8.1.5
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
Windows Defender MSMpEng.exe
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
Microsoft Security Client Antimalware NisSrv.exe
``````````End of Log````````````


MiniToolBox


MiniToolBox by Farbar
Ran by Colin Davis (administrator) on 07-07-2011 at 23:23:21
Windows 7 Home Premium (X64)

***************************************************************************


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= End of IE Proxy Settings ========================
=============== Hosts content: ============================================

# Copyright © 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost


=============== End of Hosts ==============================================

================= IP Configuration: =======================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : ColinDavis-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : My Essentials

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
Physical Address. . . . . . . . . : 00-23-5A-00-4A-CC
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : My Essentials
Description . . . . . . . . . . . : Intel® WiFi Link 5100 AGN
Physical Address. . . . . . . . . : 00-21-5D-71-D8-64
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5d53:d16a:892c:a94b%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.2.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, July 07, 2011 5:09:39 PM
Lease Expires . . . . . . . . . . : Monday, August 14, 2147 5:51:36 AM
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DHCPv6 IAID . . . . . . . . . . . : 301998429
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-B6-23-72-00-23-5A-00-4A-CC
DNS Servers . . . . . . . . . . . : 192.168.2.1
209.18.47.61
209.18.47.62
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.My Essentials:

Connection-specific DNS Suffix . : My Essentials
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5efe:192.168.2.3%15(Preferred)
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.2.1
209.18.47.61
209.18.47.62
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:2cd7:3466:3f57:fdfc(Preferred)
Link-local IPv6 Address . . . . . : fe80::2cd7:3466:3f57:fdfc%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{76FE8F55-FF90-4461-A47E-5AF989821421}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.2.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
Name: google.com
Addresses: 74.125.159.106
74.125.159.106


Pinging google.com [74.125.45.99] with 32 bytes of data:
Reply from 74.125.45.99: bytes=32 time=33ms TTL=53
Reply from 74.125.45.99: bytes=32 time=35ms TTL=53

Ping statistics for 74.125.45.99:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 33ms, Maximum = 35ms, Average = 34ms
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.2.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.

Pinging yahoo.com [98.137.149.56] with 32 bytes of data:
Reply from 98.137.149.56: bytes=32 time=63ms TTL=53
Reply from 98.137.149.56: bytes=32 time=63ms TTL=53

Ping statistics for 98.137.149.56:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 63ms, Maximum = 63ms, Average = 63ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time=4ms TTL=128
Reply from 127.0.0.1: bytes=32 time=2ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 4ms, Average = 3ms
===========================================================================
Interface List
11...00 23 5a 00 4a cc ......Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
10...00 21 5d 71 d8 64 ......Intel® WiFi Link 5100 AGN
1...........................Software Loopback Interface 1
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.3 30
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.2.0 255.255.255.0 On-link 192.168.2.3 286
192.168.2.3 255.255.255.255 On-link 192.168.2.3 286
192.168.2.255 255.255.255.255 On-link 192.168.2.3 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.2.3 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.2.3 286
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 58 ::/0 On-link
1 306 ::1/128 On-link
12 58 2001::/32 On-link
12 306 2001:0:4137:9e76:2cd7:3466:3f57:fdfc/128
On-link
10 286 fe80::/64 On-link
12 306 fe80::/64 On-link
15 296 fe80::5efe:192.168.2.3/128
On-link
12 306 fe80::2cd7:3466:3f57:fdfc/128
On-link
10 286 fe80::5d53:d16a:892c:a94b/128
On-link
1 306 ff00::/8 On-link
12 306 ff00::/8 On-link
10 286 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

================= End of IP Configuration =================================

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/07/2011 09:55:31 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 10297

Error: (07/07/2011 09:55:31 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 10297

Error: (07/07/2011 09:55:31 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (07/07/2011 09:55:30 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 9251

Error: (07/07/2011 09:55:30 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 9251

Error: (07/07/2011 09:55:30 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (07/07/2011 09:55:29 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 8112

Error: (07/07/2011 09:55:29 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 8112

Error: (07/07/2011 09:55:29 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (07/07/2011 09:55:28 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 7098


System errors:
=============
Error: (07/07/2011 09:23:58 PM) (Source: DCOM) (User: )
Description: {064CB054-2518-474E-B2E8-200049528C42}

Error: (07/07/2011 09:23:15 PM) (Source: DCOM) (User: )
Description: C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe -Embedding740{E9513610-F218-4DDA-B954-2C7E6BA7CABB}

Error: (07/07/2011 05:10:34 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
SymIM

Error: (07/07/2011 05:09:52 PM) (Source: Service Control Manager) (User: )
Description: The ElbyCDIO Driver service failed to start due to the following error:
%%1275

Error: (07/07/2011 05:09:52 PM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\ElbyCDIO.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (07/07/2011 05:08:13 PM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\RegKill.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (07/07/2011 05:09:15 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 5:06:05 PM on ?7/?7/?2011 was unexpected.

Error: (07/07/2011 03:27:41 PM) (Source: bowser) (User: )
Description: The master browser has received a server announcement from the computer LARRYDAVIS-PC
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{74F9825E-AE28-41E7-BDD4-8A748A109D46}.
The master browser is stopping or an election is being forced.

Error: (07/07/2011 02:56:34 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
SymIM

Error: (07/07/2011 02:56:27 PM) (Source: Service Control Manager) (User: )
Description: The ElbyCDIO Driver service failed to start due to the following error:
%%1275


Microsoft Office Sessions:
=========================

========================= End of Event log errors =========================

========================= Memory info: ====================================

Percentage of memory in use: 61%
Total physical RAM: 4090.89 MB
Available physical RAM: 1570.3 MB
Total Pagefile: 8179.92 MB
Available Pagefile: 5440.41 MB
Total Virtual: 4095.88 MB
Available Virtual: 3984.86 MB

======================= Partitions: =======================================

1 Drive c: (SQ004834V03) (Fixed) (Total:287.83 GB) (Free:194.93 GB) NTFS
3 Drive e: (SAMSUNG) (Fixed) (Total:232.83 GB) (Free:142.26 GB) FAT32

================= Users: ==================================================

User accounts for \\COLINDAVIS-PC

-------------------------------------------------------------------------------
Administrator Colin Davis Guest
The command completed successfully.

================= End of Users ============================================


MalwareBytes


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7045

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

7/7/2011 11:30:13 PM
mbam-log-2011-07-07 (23-30-13).txt

Scan type: Quick scan
Objects scanned: 186464
Time elapsed: 2 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER


It did not find anything and the log file it produced was blank.

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:43 PM

Posted 08 July 2011 - 10:34 AM

I can see two AV programs running, MSE and Norton.
One of them has to go.
If Norton, make sure you use this tool to remove it: http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN

Is the redirection present in IE as well?

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 TCdelta

TCdelta
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 11 July 2011 - 01:21 PM

Thanks for the reply and sorry for the delay. I uninstalled Java and downloaded the newest version. That seemed to fix any problems I was having as I am not getting any more Google redirects in Firefox or IE.

Here are the results:

GooredFix by jpshortstuff (03.07.10.1)
Log created at 13:18 on 11/07/2011 (Colin Davis)
Firefox version 3.0.19 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [23:17 14/01/2009]

C:\Users\Colin Davis\Application Data\Mozilla\Firefox\Profiles\doklqekx.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [20:27 07/07/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [17:56 14/06/2009]

-=E.O.F=-

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:43 PM

Posted 11 July 2011 - 07:25 PM

Good news :)

Still...

I can see two AV programs running, MSE and Norton.
One of them has to go.
If Norton, make sure you use this tool to remove it: http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users