Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect, cycbot.b, Java/CVE, etc


  • Please log in to reply
5 replies to this topic

#1 TCdelta

TCdelta

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 07 July 2011 - 05:39 AM

Hello! And a preemptive "thank you" for reading my problems...

I'm running Windows 7.

A short while ago, I noticed that Google links in Firefox were redirecting to incorrect sites (such as those generic search engine/ad sites). I didn't think much of it at the time and figured it was just an average irritating piece of malware that I would fix when I got a chance. Then, sure enough, I was unable to access any websites due to a proxy preventing access.

I performed a system restore to a few weeks back. Didn't help.

I ran Malware Bytes while in safe mode and was able to eventually remove "cycbot.b". I also ran Microsoft Security Essentials, which supposedly removed another trojan - named "JAVA/selace".

I am now able to access the internet, but one time I was told that I could not access any webpages because I could not make a connection to a certain IP address. The Google redirect problem also appeared to be resolved, but it came back fully after a few minutes. Plus, when I opened Windows last time, Internet Explorer automatically opened several windows without me prompting it to open at all. And now, Microsoft Security Essentials finds "Exploit:Java/CVE-2008-5353.DL" when it runs.

Thanks again, and I look forward to any suggestions!

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:28 PM

Posted 07 July 2011 - 10:37 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 TCdelta

TCdelta
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 08 July 2011 - 12:08 AM

Thanks, Broni. Here you go:

Security Check

Results of screen317's Security Check version 0.99.7
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Norton 360
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Adobe Flash Player 10.0.12.36
Adobe Reader 8.1.5
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
Windows Defender MSMpEng.exe
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
Microsoft Security Client Antimalware NisSrv.exe
``````````End of Log````````````


MiniToolBox


MiniToolBox by Farbar
Ran by Colin Davis (administrator) on 07-07-2011 at 23:23:21
Windows 7 Home Premium (X64)

***************************************************************************


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= End of IE Proxy Settings ========================
=============== Hosts content: ============================================

# Copyright © 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost


=============== End of Hosts ==============================================

================= IP Configuration: =======================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : ColinDavis-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : My Essentials

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
Physical Address. . . . . . . . . : 00-23-5A-00-4A-CC
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : My Essentials
Description . . . . . . . . . . . : Intel® WiFi Link 5100 AGN
Physical Address. . . . . . . . . : 00-21-5D-71-D8-64
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5d53:d16a:892c:a94b%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.2.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, July 07, 2011 5:09:39 PM
Lease Expires . . . . . . . . . . : Monday, August 14, 2147 5:51:36 AM
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DHCPv6 IAID . . . . . . . . . . . : 301998429
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-B6-23-72-00-23-5A-00-4A-CC
DNS Servers . . . . . . . . . . . : 192.168.2.1
209.18.47.61
209.18.47.62
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.My Essentials:

Connection-specific DNS Suffix . : My Essentials
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5efe:192.168.2.3%15(Preferred)
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.2.1
209.18.47.61
209.18.47.62
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:2cd7:3466:3f57:fdfc(Preferred)
Link-local IPv6 Address . . . . . : fe80::2cd7:3466:3f57:fdfc%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{76FE8F55-FF90-4461-A47E-5AF989821421}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.2.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
Name: google.com
Addresses: 74.125.159.106
74.125.159.106


Pinging google.com [74.125.45.99] with 32 bytes of data:
Reply from 74.125.45.99: bytes=32 time=33ms TTL=53
Reply from 74.125.45.99: bytes=32 time=35ms TTL=53

Ping statistics for 74.125.45.99:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 33ms, Maximum = 35ms, Average = 34ms
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.2.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.

Pinging yahoo.com [98.137.149.56] with 32 bytes of data:
Reply from 98.137.149.56: bytes=32 time=63ms TTL=53
Reply from 98.137.149.56: bytes=32 time=63ms TTL=53

Ping statistics for 98.137.149.56:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 63ms, Maximum = 63ms, Average = 63ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time=4ms TTL=128
Reply from 127.0.0.1: bytes=32 time=2ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 4ms, Average = 3ms
===========================================================================
Interface List
11...00 23 5a 00 4a cc ......Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
10...00 21 5d 71 d8 64 ......Intel® WiFi Link 5100 AGN
1...........................Software Loopback Interface 1
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.3 30
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.2.0 255.255.255.0 On-link 192.168.2.3 286
192.168.2.3 255.255.255.255 On-link 192.168.2.3 286
192.168.2.255 255.255.255.255 On-link 192.168.2.3 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.2.3 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.2.3 286
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 58 ::/0 On-link
1 306 ::1/128 On-link
12 58 2001::/32 On-link
12 306 2001:0:4137:9e76:2cd7:3466:3f57:fdfc/128
On-link
10 286 fe80::/64 On-link
12 306 fe80::/64 On-link
15 296 fe80::5efe:192.168.2.3/128
On-link
12 306 fe80::2cd7:3466:3f57:fdfc/128
On-link
10 286 fe80::5d53:d16a:892c:a94b/128
On-link
1 306 ff00::/8 On-link
12 306 ff00::/8 On-link
10 286 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

================= End of IP Configuration =================================

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/07/2011 09:55:31 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 10297

Error: (07/07/2011 09:55:31 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 10297

Error: (07/07/2011 09:55:31 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (07/07/2011 09:55:30 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 9251

Error: (07/07/2011 09:55:30 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 9251

Error: (07/07/2011 09:55:30 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (07/07/2011 09:55:29 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 8112

Error: (07/07/2011 09:55:29 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 8112

Error: (07/07/2011 09:55:29 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (07/07/2011 09:55:28 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 7098


System errors:
=============
Error: (07/07/2011 09:23:58 PM) (Source: DCOM) (User: )
Description: {064CB054-2518-474E-B2E8-200049528C42}

Error: (07/07/2011 09:23:15 PM) (Source: DCOM) (User: )
Description: C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe -Embedding740{E9513610-F218-4DDA-B954-2C7E6BA7CABB}

Error: (07/07/2011 05:10:34 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
SymIM

Error: (07/07/2011 05:09:52 PM) (Source: Service Control Manager) (User: )
Description: The ElbyCDIO Driver service failed to start due to the following error:
%%1275

Error: (07/07/2011 05:09:52 PM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\ElbyCDIO.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (07/07/2011 05:08:13 PM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\RegKill.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (07/07/2011 05:09:15 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 5:06:05 PM on ?7/?7/?2011 was unexpected.

Error: (07/07/2011 03:27:41 PM) (Source: bowser) (User: )
Description: The master browser has received a server announcement from the computer LARRYDAVIS-PC
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{74F9825E-AE28-41E7-BDD4-8A748A109D46}.
The master browser is stopping or an election is being forced.

Error: (07/07/2011 02:56:34 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
SymIM

Error: (07/07/2011 02:56:27 PM) (Source: Service Control Manager) (User: )
Description: The ElbyCDIO Driver service failed to start due to the following error:
%%1275


Microsoft Office Sessions:
=========================

========================= End of Event log errors =========================

========================= Memory info: ====================================

Percentage of memory in use: 61%
Total physical RAM: 4090.89 MB
Available physical RAM: 1570.3 MB
Total Pagefile: 8179.92 MB
Available Pagefile: 5440.41 MB
Total Virtual: 4095.88 MB
Available Virtual: 3984.86 MB

======================= Partitions: =======================================

1 Drive c: (SQ004834V03) (Fixed) (Total:287.83 GB) (Free:194.93 GB) NTFS
3 Drive e: (SAMSUNG) (Fixed) (Total:232.83 GB) (Free:142.26 GB) FAT32

================= Users: ==================================================

User accounts for \\COLINDAVIS-PC

-------------------------------------------------------------------------------
Administrator Colin Davis Guest
The command completed successfully.

================= End of Users ============================================


MalwareBytes


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7045

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

7/7/2011 11:30:13 PM
mbam-log-2011-07-07 (23-30-13).txt

Scan type: Quick scan
Objects scanned: 186464
Time elapsed: 2 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER


It did not find anything and the log file it produced was blank.

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:28 PM

Posted 08 July 2011 - 10:34 AM

I can see two AV programs running, MSE and Norton.
One of them has to go.
If Norton, make sure you use this tool to remove it: http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN

Is the redirection present in IE as well?

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#5 TCdelta

TCdelta
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 11 July 2011 - 01:21 PM

Thanks for the reply and sorry for the delay. I uninstalled Java and downloaded the newest version. That seemed to fix any problems I was having as I am not getting any more Google redirects in Firefox or IE.

Here are the results:

GooredFix by jpshortstuff (03.07.10.1)
Log created at 13:18 on 11/07/2011 (Colin Davis)
Firefox version 3.0.19 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [23:17 14/01/2009]

C:\Users\Colin Davis\Application Data\Mozilla\Firefox\Profiles\doklqekx.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [20:27 07/07/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [17:56 14/06/2009]

-=E.O.F=-

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:28 PM

Posted 11 July 2011 - 07:25 PM

Good news :)

Still...

I can see two AV programs running, MSE and Norton.
One of them has to go.
If Norton, make sure you use this tool to remove it: http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users