Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus


  • Please log in to reply
13 replies to this topic

#1 Firelizard

Firelizard

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 11 July 2011 - 04:17 PM

Hi, am new to the forum but have been using stuff from BleepingComputer for a while now.

My problem is this silly google redirect virus, which has chosen to go into my Firefox browser and really mess with my head regardless of the search engine I am using. No matter what I search up, it'll repeatedly redirect the page I'm going to. If I say search up 'bleeping computer', it will redirect me to a blank page like this, with a rather weird url.

Posted Image

It'll usually be this goingonearth that the browser will redirect to. Even if I say click 'open in new tab' or even if I try to copy the url of the link itself and paste it in the address bar it'll just show up on this goingonearth place.

It's getting to be a real bother, and if any help could be given I'd be ecstatic. It's been plaguing me for a while, and it's starting to be real annoying. For more information, it also occurred on google chrome before I uninstalled it in the hopes that it'd stop afterwards. However it seems to be present in both browsers and all manner of search engines (Google, Yahoo, Bing, etc).

Edit: Running vista, by the way.

Edited by Firelizard, 11 July 2011 - 04:25 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:00 AM

Posted 11 July 2011 - 09:06 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 Firelizard

Firelizard
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 12 July 2011 - 12:28 PM

Results of screen317's Security Check version 0.99.7
Windows Vista (UAC is enabled)
Out of date service pack!!
Internet Explorer 7 Out of date!
Error creating install.txt after 3 tries! Trying alternate method...
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 21
Out of date Java installed!
Adobe Flash Player
Adobe Reader 9.3.3
Out of date Adobe Reader installed!
Mozilla Firefox (x86 en-US..) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````


Will post these as the scans and the like as they are completed. It seems that I already had MBAM, though... :o

#4 Firelizard

Firelizard
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 12 July 2011 - 12:37 PM

MiniToolBox by Farbar
Ran by Justin Lee (administrator) on 12-07-2011 at 13:29:51
Windows Vista ™ Business (X86)

***************************************************************************


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= End of IE Proxy Settings ========================

========================= FF Proxy Settings: ==============================


========================= End of FF Proxy Settings ========================
=============== Hosts content: ============================================

# Copyright © 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

=============== End of Hosts ==============================================

================= IP Configuration: =======================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set interface luid=loopback_0 forwarding=disabled advertise=disabled mtu=0 metric=0 metric=0 nud=disabled basereachabletime=0 retransmittime=0 routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled
set interface luid=ethernet_2 forwarding=disabled advertise=disabled mtu=0 metric=0 metric=0 nud=disabled basereachabletime=0 retransmittime=0 routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled
set interface luid=ethernet_1 forwarding=disabled advertise=disabled mtu=0 metric=0 metric=0 nud=disabled basereachabletime=0 retransmittime=0 routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled
set interface luid=ethernet_4 forwarding=disabled advertise=disabled mtu=0 metric=0 metric=0 nud=disabled basereachabletime=0 retransmittime=0 routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled
set interface luid=wireless_0 forwarding=disabled advertise=disabled mtu=0 metric=0 metric=0 nud=disabled basereachabletime=0 retransmittime=0 routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : JUSTINLEE
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : home

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : home
Description . . . . . . . . . . . : Intel® PRO/Wireless 3945ABG Network Connection
Physical Address. . . . . . . . . : 00-19-D2-17-00-8A
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::7c01:5231:89c:72a%9(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.4(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, July 12, 2011 1:03:12 PM
Lease Expires . . . . . . . . . . : Wednesday, July 13, 2011 1:03:12 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 184555986
DNS Servers . . . . . . . . . . . : 192.168.1.1
71.242.0.12
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel® PRO/1000 PL Network Connection
Physical Address. . . . . . . . . : 00-15-B7-3D-9F-54
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 8:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{3F6FE884-1D6C-4E97-ABFC-29C4900B4391}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 13:

Connection-specific DNS Suffix . : home
Description . . . . . . . . . . . : isatap.home
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5efe:192.168.1.4%16(Preferred)
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.1.1
71.242.0.12
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: Wireless_Broadband_Router.home
Address: 192.168.1.1:53

Name: google.com
Addresses: 74.125.91.105, 74.125.91.147, 74.125.91.106, 74.125.91.104
74.125.91.103, 74.125.91.99



Pinging google.com [74.125.91.105] with 32 bytes of data:



Request timed out.

Request timed out.



Ping statistics for 74.125.91.105:

Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),

Server: Wireless_Broadband_Router.home
Address: 192.168.1.1:53

Name: yahoo.com
Addresses: 69.147.125.65, 72.30.2.43, 98.137.149.56, 209.191.122.70
67.195.160.76



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:



Reply from 209.191.122.70: bytes=32 time=61ms TTL=250

Reply from 209.191.122.70: bytes=32 time=57ms TTL=250



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 57ms, Maximum = 61ms, Average = 59ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
9 ...00 19 d2 17 00 8a ...... Intel® PRO/Wireless 3945ABG Network Connection
7 ...00 15 b7 3d 9f 54 ...... Intel® PRO/1000 PL Network Connection
1 ........................... Software Loopback Interface 1
11 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
8 ...00 00 00 00 00 00 00 e0 isatap.{3F6FE884-1D6C-4E97-ABFC-29C4900B4391}
16 ...00 00 00 00 00 00 00 e0 isatap.home
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.4 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.4 281
192.168.1.4 255.255.255.255 On-link 192.168.1.4 281
192.168.1.255 255.255.255.255 On-link 192.168.1.4 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.4 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.4 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
9 281 fe80::/64 On-link
16 286 fe80::5efe:192.168.1.4/128
On-link
9 281 fe80::7c01:5231:89c:72a/128
On-link
1 306 ff00::/8 On-link
9 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

================= End of IP Configuration =================================

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/12/2011 01:26:58 PM) (Source: Windows Search Service) (User: )
Description: The protocol handler IEPH.RSSHandler cannot be loaded. Error description: MAPI: Logon failed. .

Error: (07/12/2011 01:26:58 PM) (Source: Windows Search Service) (User: )
Description: The protocol handler IEPH.HistoryHandler cannot be loaded. Error description: The system cannot find the file specified. .

Error: (07/12/2011 01:24:54 PM) (Source: Windows Search Service) (User: )
Description: The protocol handler IEPH.RSSHandler cannot be loaded. Error description: MAPI: Logon failed. .

Error: (07/12/2011 01:24:54 PM) (Source: Windows Search Service) (User: )
Description: The protocol handler IEPH.HistoryHandler cannot be loaded. Error description: The system cannot find the file specified. .

Error: (07/12/2011 01:22:57 PM) (Source: Application Error) (User: )
Description: Faulting application Skype.exe, version 5.0.0.152, time stamp 0x4cb31516, faulting module Skype.exe, version 5.0.0.152, time stamp 0x4cb31516, exception code 0xc0000005, fault offset 0x000d85d2,
process id 0x1724, application start time 0xSkype.exe0.

Error: (07/12/2011 01:22:17 PM) (Source: Windows Search Service) (User: )
Description: The protocol handler IEPH.RSSHandler cannot be loaded. Error description: MAPI: Logon failed. .

Error: (07/12/2011 01:22:17 PM) (Source: Windows Search Service) (User: )
Description: The protocol handler IEPH.HistoryHandler cannot be loaded. Error description: The system cannot find the file specified. .

Error: (07/12/2011 01:20:13 PM) (Source: Windows Search Service) (User: )
Description: The protocol handler IEPH.RSSHandler cannot be loaded. Error description: MAPI: Logon failed. .

Error: (07/12/2011 01:20:13 PM) (Source: Windows Search Service) (User: )
Description: The protocol handler IEPH.HistoryHandler cannot be loaded. Error description: The system cannot find the file specified. .

Error: (07/12/2011 01:17:04 PM) (Source: Windows Search Service) (User: )
Description: The protocol handler IEPH.RSSHandler cannot be loaded. Error description: MAPI: Logon failed. .


System errors:
=============
Error: (07/12/2011 01:04:03 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Tosrfcom

Error: (07/12/2011 01:04:03 PM) (Source: Service Control Manager) (User: )
Description: The SBSD Security Center Service service depends on the Security Center service which failed to start because of the following error:
%%1058

Error: (07/12/2011 01:03:04 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 11:32:21 AM on 7/12/2011 was unexpected.

Error: (07/12/2011 03:01:22 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: SYSTEM)
Description: 0x80070643Microsoft .NET Framework 1.1 Service Pack 1 Security Update for Windows 2000, Windows XP, Windows Vista, Windows Server 2008 (KB953297){A72E5A3C-38CC-4976-8E17-92D9D043BEDF}101

Error: (07/11/2011 10:46:55 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.

Error: (07/11/2011 10:46:54 PM) (Source: DCOM) (User: )
Description: The server {C2BFE331-6739-4270-86C9-493D9A04CD38} did not register with DCOM within the required timeout.

Error: (07/11/2011 06:25:40 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Tosrfcom

Error: (07/11/2011 06:25:40 PM) (Source: Service Control Manager) (User: )
Description: The SBSD Security Center Service service depends on the Security Center service which failed to start because of the following error:
%%1058

Error: (07/11/2011 06:24:01 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 5:44:55 PM on 7/11/2011 was unexpected.

Error: (07/11/2011 08:45:02 AM) (Source: bowser) (User: )
Description: The master browser has received a server announcement from the computer DAVID-PC
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{194AF22C-05F0-460C-A256-FB06FD654.
The master browser is stopping or an election is being forced.


Microsoft Office Sessions:
=========================

========================= End of Event log errors =========================

========================= Memory info: ====================================

Percentage of memory in use: 47%
Total physical RAM: 2038.56 MB
Available physical RAM: 1075.36 MB
Total Pagefile: 4296.11 MB
Available Pagefile: 3038.98 MB
Total Virtual: 2047.88 MB
Available Virtual: 1988.57 MB

======================= Partitions: =======================================

1 Drive c: (SQ004218P03) (Fixed) (Total:144.38 GB) (Free:102.46 GB) NTFS
2 Drive d: (ROMETWBI) (CDROM) (Total:0.64 GB) (Free:0 GB) CDFS

================= Users: ==================================================

User accounts for \\JUSTINLEE

-------------------------------------------------------------------------------
Administrator ASPNET Guest
HelpAssistant Justin Lee SUPPORT_388945a0
The command completed successfully.

================= End of Users ============================================

Edited by Firelizard, 12 July 2011 - 12:42 PM.


#5 Firelizard

Firelizard
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 12 July 2011 - 12:54 PM

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7089

Windows 6.0.6000
Internet Explorer 7.0.6000.16982

7/12/2011 1:46:21 PM
mbam-log-2011-07-12 (13-46-21).txt

Scan type: Quick scan
Objects scanned: 165822
Time elapsed: 6 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 Firelizard

Firelizard
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 12 July 2011 - 01:49 PM

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-12 14:47:32
Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK1652GSX rev.LV010A
Running: korj92wm.exe; Driver: C:\Users\JUSTIN~1\AppData\Local\Temp\pglcrpow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0x8D04C620]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_alloca_probe + 574 81C562E4 4 Bytes [20, C6, 04, 8D] {AND DH, AL; ADD AL, 0x8d}

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:00 AM

Posted 12 July 2011 - 08:07 PM

1. First of all you're not running any AV program.
Install one of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
Update, run full scan, report on any findings?

2. Is the redirection present in IE as well?

3. Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#8 Firelizard

Firelizard
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 13 July 2011 - 11:31 AM

The Avira full scan took quite a while to be done, but it did find 38 detections and one suspicious file. However these two files could not be moved, for some reason...

Posted Image

Posted Image

There was a report labeled AVSCAN-(Insert large list of numbers). I'll put it up in spoilers if it makes a difference.

Spoiler


#9 Firelizard

Firelizard
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 13 July 2011 - 11:48 AM

I was redirected to other sites on Internet Explorer as well, but after the antivirus scan and quarantining of items it seems to have gone away. Though I am wary of saying it is gone, only to come back the next day to find that it was only 'hiding' from me. :P

As for the GooredFix, it was rather fast, whatever it did. Here's the log itself.

GooredFix by jpshortstuff (03.07.10.1)
Log created at 12:46 on 13/07/2011 (Justin Lee)
Firefox version 5.0 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [19:40 26/06/2011]
{AB2CE124-6272-4b12-94A9-7303C7397BD1} [00:09 08/12/2010]
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [00:35 21/06/2010]
{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [03:40 06/08/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(none)

-=E.O.F=-

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:00 AM

Posted 13 July 2011 - 06:48 PM

it was only 'hiding' from me

Does it mean both browsers are still affected?

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#11 Firelizard

Firelizard
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 13 July 2011 - 09:26 PM

it was only 'hiding' from me

Does it mean both browsers are still affected?


Oh no, they both seem to be free of the infection now. A mistake of words on my part.

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:00 AM

Posted 13 July 2011 - 09:29 PM

Ahh...you scared me :)

Any current issues?

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#13 Firelizard

Firelizard
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 14 July 2011 - 09:00 AM

The virus seems to have gone away. Whatever you had me do seems to have worked!

C:\Users\Justin Lee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\7c88068a-5c4d3c77 Java/Agent.BV trojan deleted - quarantined
C:\Users\Justin Lee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\687efa1e-128ceedc a variant of Java/Agent.BR trojan deleted - quarantined
C:\Users\Justin Lee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\5ad4b738-5964b062 Java/Agent.BV trojan deleted - quarantined
C:\Users\Justin Lee\AppData\Roaming\Mozilla\Firefox\Profiles\7l78g0vv.default\extensions\{2a5ef21c-4c51-4660-a3ac-c9ea507fa437}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
C:\Users\Justin Lee\Downloads\ADBE_CS5_MasterKeygen.rar a variant of Win32/Keygen.BH application deleted - quarantined

#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:00 AM

Posted 14 July 2011 - 01:52 PM

Good news :)

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.

==============================================================

Update Adobe Reader

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

==========================================================

Your computer is clean Posted Image

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll remove all old restore points and create fresh, clean restore point.

Turn system restore off.
Restart computer.
Turn system restore back on.

If you don't know how to do it...
Windows XP: http://support.microsoft.com/kb/310405
Vista and Windows 7: http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/

2. Make sure, Windows Updates are current (including Service Pack 2 installation and updating Internet Explorer to version 9!!!)

3. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

4. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

5. Run Temporary File Cleaner (TFC) weekly.

6. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

7. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

8. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users