Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Firefox redirecting Google searches?


  • Please log in to reply
21 replies to this topic

#1 Guest_Eugenlus_*

Guest_Eugenlus_*

  • Guests
  • OFFLINE
  •  

Posted 25 July 2011 - 01:06 PM

Hi, I've seen a lot of other users have problems with this and I am too - Google will only occasionally redirect me to other sites, find-stuff-fast, informationgetter.com, expandsearchanswers, it's really annoying - so I made an account, hopefully I can get some help. I'm using Firefox 5.0.1 (I reinstalled hoping to get rid of the redirects, but it didn't work). I've tried running Malwarebytes and Norton 360 and it found some stuff, but Google is still redirecting me. I'm using Windows 7.

Am I infected? What do I do?

BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.

Posted 25 July 2011 - 03:56 PM

Hi Eugenlus,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.


:step1: Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
  • Please post the contents of that document.

:step2: Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

:step3: I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


In your next reply, please include:
  • Security Check log
  • MiniToolBox log
  • ESET log
  • How's your computer running now? Are you redirected in Internet Explorer, or just Firefox? Please provide a detailed description any remaining problems, detailed word-for-word error messages that you are receiving, and/or screenshots of strange behavior.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 Guest_Eugenlus_*

Guest_Eugenlus_*

  • Guests
  • OFFLINE
  •  

Posted 27 July 2011 - 05:29 PM

Results of screen317's Security Check version 0.99.18
Windows 7 Service Pack 1 (UAC is enabled)
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Norton Internet Security
Norton 360
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 22
Out of date Java installed!
Adobe Flash Player 10.3.181.26
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
``````````End of Log````````````














MiniToolBox by Farbar
Ran by Eugene (administrator) on 27-07-2011 at 15:33:18
Windows 7 Home Premium Service Pack 1 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================



========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
add route prefix=169.254.0.0/16 interface="iftype0_0" nexthop=192.168.2.8 metric=1 publish=Yes


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : FriedRice
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
Physical Address. . . . . . . . . : 06-25-D3-49-8D-20
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Atheros AR9285 Wireless Network Adapter
Physical Address. . . . . . . . . : 00-25-D3-49-8D-20
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8ad:f5e7:1793:8eb9%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.2.12(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, July 27, 2011 12:38:12 PM
Lease Expires . . . . . . . . . . : Wednesday, July 27, 2011 4:08:12 PM
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DHCPv6 IAID . . . . . . . . . . . : 218113491
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-80-47-B1-40-61-86-14-81-53
DNS Servers . . . . . . . . . . . : 192.168.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nForce 10/100/1000 Mbps Ethernet
Physical Address. . . . . . . . . : 40-61-86-14-81-53
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::40d2:df5d:2951:946b%10(Deprecated)
Autoconfiguration IPv4 Address. . : 169.254.148.107(Tentative)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{2FDD1F2F-2690-4953-B34D-860D87B42B69}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:184a:3e1d:93fa:b54d(Preferred)
Link-local IPv6 Address . . . . . : fe80::184a:3e1d:93fa:b54d%17(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: UnKnown
Address: 192.168.2.1

Name: google.com
Addresses: 74.125.115.106
74.125.115.104
74.125.115.105
74.125.115.99
74.125.115.147
74.125.115.103


Pinging google.com [74.125.115.106] with 32 bytes of data:
Reply from 74.125.115.106: bytes=32 time=50ms TTL=53
Reply from 74.125.115.106: bytes=32 time=54ms TTL=53

Ping statistics for 74.125.115.106:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 50ms, Maximum = 54ms, Average = 52ms
Server: UnKnown
Address: 192.168.2.1

Name: yahoo.com
Addresses: 72.30.2.43
98.137.149.56
209.191.122.70
67.195.160.76
69.147.125.65


Pinging yahoo.com [72.30.2.43] with 32 bytes of data:
Reply from 72.30.2.43: bytes=32 time=138ms TTL=56
Reply from 72.30.2.43: bytes=32 time=118ms TTL=56

Ping statistics for 72.30.2.43:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 118ms, Maximum = 138ms, Average = 128ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
12...06 25 d3 49 8d 20 ......Microsoft Virtual WiFi Miniport Adapter
11...00 25 d3 49 8d 20 ......Atheros AR9285 Wireless Network Adapter
10...40 61 86 14 81 53 ......NVIDIA nForce 10/100/1000 Mbps Ethernet
1...........................Software Loopback Interface 1
18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
17...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.12 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
169.254.0.0 255.255.0.0 192.168.2.8 192.168.2.12 26
192.168.2.0 255.255.255.0 On-link 192.168.2.12 281
192.168.2.12 255.255.255.255 On-link 192.168.2.12 281
192.168.2.255 255.255.255.255 On-link 192.168.2.12 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.2.12 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.2.12 281
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
169.254.0.0 255.255.0.0 192.168.2.8 1
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
17 58 ::/0 On-link
1 306 ::1/128 On-link
17 58 2001::/32 On-link
17 306 2001:0:4137:9e76:184a:3e1d:93fa:b54d/128
On-link
11 281 fe80::/64 On-link
17 306 fe80::/64 On-link
11 281 fe80::8ad:f5e7:1793:8eb9/128
On-link
17 306 fe80::184a:3e1d:93fa:b54d/128
On-link
1 306 ff00::/8 On-link
17 306 ff00::/8 On-link
11 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/25/2011 02:39:30 PM) (Source: Application Error) (User: )
Description: Faulting application name: mbam.exe, version: 1.51.1.1076, time stamp: 0x4e0a6f10
Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7b96e
Exception code: 0xc0000005
Fault offset: 0x0005601e
Faulting process id: 0x1794
Faulting application start time: 0xmbam.exe0
Faulting application path: mbam.exe1
Faulting module path: mbam.exe2
Report Id: mbam.exe3

Error: (07/08/2011 01:23:34 PM) (Source: Application Hang) (User: )
Description: The program wmplayer.exe version 12.0.7601.17514 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: e7c

Start Time: 01cc3d93a7624580

Termination Time: 295

Application Path: C:\Program Files\Windows Media Player\wmplayer.exe

Report Id: 005dd781-a987-11e0-a985-e97b2adc4c5b

Error: (07/05/2011 03:38:57 PM) (Source: Application Error) (User: )
Description: Faulting application name: FBEngine.exe, version: 0.0.0.0, time stamp: 0x4e0b6d97
Faulting module name: MSVCR100.dll, version: 10.0.40219.1, time stamp: 0x4d5f0c22
Exception code: 0x80000003
Fault offset: 0x0008e0bc
Faulting process id: 0x478
Faulting application start time: 0xFBEngine.exe0
Faulting application path: FBEngine.exe1
Faulting module path: FBEngine.exe2
Report Id: FBEngine.exe3

Error: (07/04/2011 11:56:40 PM) (Source: Application Hang) (User: )
Description: The program fotobounce.exe version 0.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 141c

Start Time: 01cc3ac77bfaa322

Termination Time: 123

Application Path: C:\Program Files\fotobounce\fotobounce.exe

Report Id: c81d1f47-a6ba-11e0-aa70-ac104465f95b

Error: (06/26/2011 10:55:01 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (06/26/2011 00:17:57 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (06/25/2011 01:03:58 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (06/24/2011 11:28:46 AM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (06/23/2011 09:07:54 AM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (06/22/2011 11:33:18 AM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown


System errors:
=============
Error: (07/27/2011 00:53:19 PM) (Source: BROWSER) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{2FDD1F2F-2690-4953-B34D-860D87B42B69}.
The backup browser is stopping.

Error: (07/27/2011 00:38:09 PM) (Source: Service Control Manager) (User: )
Description: The DgiVecp service failed to start due to the following error:
%%20

Error: (07/26/2011 05:56:03 PM) (Source: BROWSER) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{2FDD1F2F-2690-4953-B34D-860D87B42B69}.
The backup browser is stopping.

Error: (07/26/2011 01:22:44 PM) (Source: BROWSER) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{2FDD1F2F-2690-4953-B34D-860D87B42B69}.
The backup browser is stopping.

Error: (07/26/2011 09:56:51 AM) (Source: BROWSER) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{2FDD1F2F-2690-4953-B34D-860D87B42B69}.
The backup browser is stopping.

Error: (07/26/2011 09:41:50 AM) (Source: Service Control Manager) (User: )
Description: The DgiVecp service failed to start due to the following error:
%%20

Error: (07/25/2011 08:04:52 PM) (Source: BROWSER) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{2FDD1F2F-2690-4953-B34D-860D87B42B69}.
The backup browser is stopping.

Error: (07/25/2011 08:01:14 PM) (Source: Service Control Manager) (User: )
Description: The DgiVecp service failed to start due to the following error:
%%20

Error: (07/25/2011 00:30:40 PM) (Source: Service Control Manager) (User: )
Description: The DgiVecp service failed to start due to the following error:
%%20

Error: (07/24/2011 08:30:19 PM) (Source: Service Control Manager) (User: )
Description: The KtmRm for Distributed Transaction Coordinator service terminated unexpectedly. It has done this 1 time(s).


Microsoft Office Sessions:
=========================
Error: (07/25/2011 02:39:30 PM) (Source: Application Error)(User: )
Description: mbam.exe1.51.1.10764e0a6f10ntdll.dll6.1.7601.175144ce7b96ec00000050005601e179401cc4aea6f3c6f00C:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Windows\SYSTEM32\ntdll.dll6e4b6c80-b6ed-11e0-aa00-add43ea31f5d

Error: (07/08/2011 01:23:34 PM) (Source: Application Hang)(User: )
Description: wmplayer.exe12.0.7601.17514e7c01cc3d93a7624580295C:\Program Files\Windows Media Player\wmplayer.exe005dd781-a987-11e0-a985-e97b2adc4c5b

Error: (07/05/2011 03:38:57 PM) (Source: Application Error)(User: )
Description: FBEngine.exe0.0.0.04e0b6d97MSVCR100.dll10.0.40219.14d5f0c22800000030008e0bc47801cc3b4768fe8810C:\Program Files\fotobounce\FBEngine.exeC:\Windows\system32\MSVCR100.dll6c0c6f00-a73e-11e0-a989-9871fb7afd53

Error: (07/04/2011 11:56:40 PM) (Source: Application Hang)(User: )
Description: fotobounce.exe0.0.0.0141c01cc3ac77bfaa322123C:\Program Files\fotobounce\fotobounce.exec81d1f47-a6ba-11e0-aa70-ac104465f95b

Error: (06/26/2011 10:55:01 PM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (06/26/2011 00:17:57 PM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (06/25/2011 01:03:58 PM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (06/24/2011 11:28:46 AM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (06/23/2011 09:07:54 AM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (06/22/2011 11:33:18 AM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown


========================= Memory info: ===================================

Percentage of memory in use: 52%
Total physical RAM: 3327.24 MB
Available physical RAM: 1567.6 MB
Total Pagefile: 6652.76 MB
Available Pagefile: 4734.86 MB
Total Virtual: 2047.88 MB
Available Virtual: 1931.77 MB

========================= Partitions: =====================================

1 Drive c: (OS_Install) (Fixed) (Total:115.24 GB) (Free:60.77 GB) NTFS
2 Drive d: (Data) (Fixed) (Total:172.85 GB) (Free:62.04 GB) NTFS

========================= Users: ========================================

User accounts for \\FRIEDRICE

Administrator Eugene Guest
UpdatusUser


== End of log ==









C:\Users\Eugene\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\4303e9c1-1f030c5c Java/Exploit.CVE-2010-0094.F trojan deleted - quarantined
C:\Users\Eugene\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\19e4c9d4-40cee15f probably a variant of Java/Agent.BR trojan deleted - quarantined
C:\Users\Eugene\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\5c9dfd94-7fd27f65 a variant of Java/Rowindal.E trojan deleted - quarantined
C:\Users\Eugene\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\56bf0f5a-23d90651 probably a variant of Win32/Agent.RPSVWU trojan cleaned by deleting - quarantined
C:\Users\Eugene\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\77ca675a-18b8518c a variant of Java/Agent.BR trojan deleted - quarantined
C:\Users\Eugene\AppData\Roaming\OpenCandy\OpenCandy_685BF76028684C27BE5BE6FD715E39D1\dlmgr_3_1.6.87.exe Win32/OpenCandy application deleted - quarantined




Jason,
My browser seems to be fine now! Thanks a lot. That was really quick, I know a lot of other people have been having some chronic problems.

-Eugene

#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:04:49 AM

Posted 27 July 2011 - 05:55 PM

Hi Eugene,

Let's double check you're malware-free.

:step1: Rerun Malwarebytes (Full Scan, may take some time.)
Open Malwarebytes, click on the Update tab, and click the check for Updates button.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If you have trouble updating, troubleshoot Malwarebytes' Anti-Malware

:step2: Reboot into Normal mode. Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE (copy and paste that website address) and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a USB drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


In your next reply, please include:
  • Malwarebytes log
  • SuperAntiSpyware log
  • How's your computer running now?

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 Guest_Eugenlus_*

Guest_Eugenlus_*

  • Guests
  • OFFLINE
  •  

Posted 30 July 2011 - 04:25 PM

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7266

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

7/27/2011 11:23:37 PM
mbam-log-2011-07-27 (23-23-37).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 327905
Time elapsed: 2 hour(s), 43 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Eugene\AppData\Local\Temp\err.log25858990 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Eugene\AppData\Roaming\Adobe\plugs\kb25868803.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Eugene\AppData\Roaming\Adobe\plugs\kb25868818.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Eugene\AppData\Roaming\Adobe\plugs\kb25868865.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Eugene\AppData\Roaming\Adobe\plugs\kb25872313.exe (Trojan.Agent) -> Quarantined and deleted successfully.






SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/30/2011 at 04:59 PM

Application Version : 4.56.1000

Core Rules Database Version : 7490
Trace Rules Database Version: 5302

Scan type : Complete Scan
Total Scan Time : 01:32:36

Memory items scanned : 499
Memory threats detected : 0
Registry items scanned : 8451
Registry threats detected : 0
File items scanned : 129837
File threats detected : 0



Everything seems to be fine. I feel like such a lucky guy, thank you so much!

#6 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.

Posted 30 July 2011 - 04:29 PM

Rerun Malwarebytes
Open Malwarebytes, click on the Update tab, and click the check for Updates button. (The latest update is 7329.)
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If you have trouble updating, troubleshoot Malwarebytes' Anti-Malware
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#7 Guest_Eugenlus_*

Guest_Eugenlus_*

  • Guests
  • OFFLINE
  •  

Posted 31 July 2011 - 11:46 AM

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7339

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

7/31/2011 12:45:24 PM
mbam-log-2011-07-31 (12-45-23).txt

Scan type: Quick scan
Objects scanned: 170867
Time elapsed: 4 minute(s), 19 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
c:\Windows\System32\mscms32.exe (Trojan.Agent) -> 3296 -> Unloaded process successfully.
c:\programdata\api-ms-win-core-handle-l1-1-032.exe (Trojan.Agent) -> 3348 -> Unloaded process successfully.

Memory Modules Infected:
c:\Windows\System32\api-ms-win-core-handle-l1-1-032.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{023DB753-4FF8-41C2-891F-426F6A77A4Bf} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{023DB753-4FF8-41C2-891F-426F6A77A4BF} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{023DB753-4FF8-41C2-891F-426F6A77A4BF} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPCSvc32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\api-ms-win-core-handle-l1-1-032.dll (Trojan.Agent) -> Delete on reboot.
c:\Windows\System32\mscms32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\programdata\api-ms-win-core-handle-l1-1-032.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Eugene\AppData\Local\Temp\jucheck.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Eugene\AppData\Local\Temp\tmph5044641175264807282.tmp (Trojan.Agent) -> Quarantined and deleted successfully.



Now I don't understand. Didn't I just run a full scan? Rebooted and posted this.

#8 Mommy2535

Mommy2535

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 31 July 2011 - 11:56 AM

Jason,
I have the SAME issue as in this forum. I have run malwarebytes and it came up with three things including two trojans and they were taken off of the computer and then I restarted it. It did not work. I am still being re-directed in google. Can I follow the above steps or start a new forum for you to help me? I will wait for a response before I do anything else. I am afraid to log in to my online banking or any other site with sensitive information. Please Help! Thank you!

#9 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.

Posted 31 July 2011 - 12:11 PM

Jason,
I have the SAME issue as in this forum. I have run malwarebytes and it came up with three things including two trojans and they were taken off of the computer and then I restarted it. It did not work. I am still being re-directed in google. Can I follow the above steps or start a new forum for you to help me? I will wait for a response before I do anything else. I am afraid to log in to my online banking or any other site with sensitive information. Please Help! Thank you!


Please start a new topic in the Am I Infected forum.

 

Now I don't understand. Didn't I just run a full scan? Rebooted and posted this.


I submitted a malware file to Malwarebytes' yesterday, and they have since included it in their definitions. How's the computer running now? Is Firefox still redirecting Google searches?
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#10 Guest_Eugenlus_*

Guest_Eugenlus_*

  • Guests
  • OFFLINE
  •  

Posted 31 July 2011 - 12:19 PM

Jason,

Funny thing happened. I was redirected to find-fast-answers again for the first time since I started the topic. Then I ran the Quick Scan of Malwarebytes like you suggested and nothing is redirecting. However, I am still a little skeptical because the previous redirect took place after a long period of time and though nothing is redirecting now, will it still come back? Thanks,

-Eugene

#11 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:04:49 AM

Posted 31 July 2011 - 12:40 PM

Eugenlus,

Have you been redirected after removing the threats found that in the last log you posted?
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#12 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.

Posted 31 July 2011 - 12:42 PM

Eugenlus,

Have you been redirected after removing the threats found that in the last log you posted?
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#13 Guest_Eugenlus_*

Guest_Eugenlus_*

  • Guests
  • OFFLINE
  •  

Posted 31 July 2011 - 12:44 PM

No. I must have clicked on about 50 Google links, but no. I will keep trying, though. Hopefully it's gone.

-Eugene

#14 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:49 AM

Posted 31 July 2011 - 12:50 PM

Let's double check we've found everything.

:step1: Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the anti-virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

:step2: I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#15 Guest_Eugenlus_*

Guest_Eugenlus_*

  • Guests
  • OFFLINE
  •  

Posted 31 July 2011 - 08:51 PM

Sorry for the late reply, I ran Dr. Web CureIt and it took 5 hours haha. Unfortunately it was not possible to "save report list," I could not click on that option, but I did take a screenshot of the statistics. No viruses were found, here is the picture. (For some reason, I cannot attach pictures?)

http://tinypic.com/r/s5jzpk/7

I am running the ESET scan now and will have the log posted. No redirects so far.

-Eugene




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users