Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Goingonearth internet hijack


  • Please log in to reply
5 replies to this topic

#1 specsga

specsga

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 16 July 2011 - 01:24 AM

Hello I am getting redirected to the goingonearth site everytime I do a search and click a link. I can only ge to the link by copying it and pasting it in the address bar at the top of my browser. Please help me fix this issue.

Thanks
specsga

Edited by Blade Zephon, 16 July 2011 - 02:22 AM.
Moved from XP to AII. ~BZ


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:59 PM

Posted 16 July 2011 - 09:18 AM

Hello and welcome.
Your HOSTS file may be infected.
Reset the HOSTS file
As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system.
Some types of malware will alter the HOSTS file as part of its infection. Please follow the instructions provided in How do I reset the hosts file back to the default?

To reset the hosts file automatically,go HERE click the Posted Image button. Then just follow the prompts in the Fix it wizard.


OR
Click Run in the File Download dialog box or save MicrosoftFixit50267.msi to your Desktop and double-click on it to run. Then just follow the promots in the Fix it wizard.


If you still redirect..
Please follow our Removal Guide here How to remove Google Redirects. You will move to the Automated Removal Instructions

If it finds something make sure Cure is selected
Next click Continue then Reboot now
A log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.




Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 specsga

specsga
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 16 July 2011 - 03:56 PM

Thanks for the response and help Boopme,

It seem to have solved the problem. Here is the log file you requested. Please let me know if there is anything else I should look out for.

Thanks,
specsga


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 7164

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/16/2011 4:45:19 PM
mbam-log-2011-07-16 (16-45-19).txt

Scan type: Quick scan
Objects scanned: 227579
Time elapsed: 6 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 5
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS.1\system32\atlinfo.dll (Trojan.P2P.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{84C3C236-F588-4c93-84F4-147B2ABBE67B} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\IJKUK66HMN (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SMH2B46TDP (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Street-Ads (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Street-Ads (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.P2P.Agent) -> Bad: (atlinfo.dll) Good: () -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.P2P.Agent) -> Bad: (bootlib.dll) Good: () -> Delete on reboot.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\producer.studio\application data\sky-banners (Adware.Adrotator) -> Quarantined and deleted successfully.
c:\documents and settings\producer.studio\application data\sky-banners\skb (Adware.Adrotator) -> Quarantined and deleted successfully.
c:\documents and settings\producer.studio\application data\street-ads (Adware.Adrotator) -> Quarantined and deleted successfully.
c:\documents and settings\producer.studio\application data\street-ads\sta (Adware.Adrotator) -> Quarantined and deleted successfully.
c:\WINDOWS.1\$ntuninstallmtf1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS.1\system32\atlinfo.dll (Trojan.P2P.Agent) -> Delete on reboot.
c:\WINDOWS.1\system32\bootlib.dll (Trojan.P2P.Agent) -> Delete on reboot.
c:\documents and settings\producer.studio\my documents\downloads\refog_setup_free_kl_514.exe (Spyware.KGBSpy) -> Quarantined and deleted successfully.
c:\documents and settings\producer.studio\local settings\temporary internet files\Content.IE5\GTMRGTMN\version[1].dat.dll (Trojan.P2P.Agent) -> Quarantined and deleted successfully.
c:\zrpt.xml (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS.1\system32\winset.ini (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\producer.studio\stsf.bat (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS.1\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS.1\Tasks\{35dc3473-a719-4d14-b7c1-fd326ca84a0c}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS.1\$ntuninstallmtf1011$\apuninstall.exe (Adware.Adrotator) -> Quarantined and deleted successfully.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:59 PM

Posted 16 July 2011 - 06:18 PM

Ok good you did reboot after that scan,it is needed.

Lets be sure there is nothing left before we mop up..

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.



now check for outdated software.....
Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 specsga

specsga
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 17 July 2011 - 05:44 AM

Hello thanks again,

Here are the reports you've requested. Let me know if there is anything further to look for.

Thanks
specsga


ESETScan.txt

C:\WINDOWS.1\system32\F016E594CA6\explorer.exe a variant of Win32/Kryptik.HLE trojan cleaned by deleting - quarantined
D:\Cakewalk Sonar 8.5 Producer Iso.rar Win32/Agent.PIN trojan deleted - quarantined
D:\Cakewalk Sonar 8 Producer Iso\Cakewalk Sonar 8 Producer Iso\Cakewalk Sonar 8 Producer Iso.iso Win32/Agent.PIN trojan deleted - quarantined
D:\Downloads\DAEMON Tools Pro Advanced 4.41.0314.0232 Incl Crack & Patch\Crack.rar a variant of Win32/Kryptik.BBT trojan deleted - quarantined
D:\Program Files\Sony Setup\KeyGen\keygen.exe a variant of Win32/Keygen.AQ application cleaned by deleting - quarantined


Checkup.txt

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
ESET Online Scanner v3
McAfee VirusScan Enterprise
McAfee Agent
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Out of date HijackThis installed!
Malwarebytes' Anti-Malware
HijackThis 1.99.1
CleanMyPC - Registry Cleaner
Java™ 6 Update 26
Out of date Java installed!
Adobe Flash Player 10.3.181.26
Adobe Reader 9.4.5
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

McAfee VirusScan Enterprise SHSTAT.EXE
``````````End of Log````````````

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:59 PM

Posted 17 July 2011 - 03:53 PM

Ok, your problems were caused by a downloaded Keygen.

IMPORTANT NOTE: The practice of using cracking tools, keygens, warez or any pirated software is not only considered illegal activity but it is a serious security risk.

Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.

trendmicro.com/vinfo

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.

University of Washington spyware study

...One of the most aggressive and intrusive of all bad websites on the Internet are serial, warez, software cracking type sites...they sneak malware onto your system...Where do trojan viruses originate? One of the biggest malware distributors on the Internet are serial/warez/code cracking sites.

Bad Web Sites: Malware

When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a smörgåsbord of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Before we can continue, I need you to remove all cracks and keygens immediately to reduce the risk of infection/reinfection. If not, then we are just wasting time trying to clean your system. Further, other tools used during the disinfection process may detect crack and keygens so we need to ensure they have been removed.

Using these types of programs or the websites you visited to get them is almost a guaranteed way to get yourself infected!!



Are you still going to Goingonearth ?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users