Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect virus - can't get rid of it


  • This topic is locked This topic is locked
12 replies to this topic

#1 thykarmabenill

thykarmabenill

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 05 October 2011 - 02:21 PM

Hi, just joined this forum. I'm posting from my laptop as I can't seem to login on my computer with the problem.

Computer in question has Windows 7 operating system, and uses firefox, latest version. I have AVG 2012 free edition running on there.

Summary- problems started happening this morning when I was talking to a friend on skype. I tried to link him to a site and he said his google wasn't working. Then when I tried google shortly thereafter, I realized I had a problem as well. I don't know if this is related at all, but at first I thought it was a DNS problem with Google. I had been messing around looking at various websites prior to this though, so maybe it was coincidental.

Anyway, I went through trying to click various links with strange redirects and popups and fake search sites after that and became suspicious and ran a full scan with AVG. It came up clean, so I was perplexed. Then I checked google's help thing and downloaded a couple of recommended virus scanners including malwarebytes and ran a scan with it. It found a few tracking cookies, so I messed with my avg settings to make it look for tracking cookies, found them with that too, but it said it couldn't remove them. Then I downloaded Hitman Pro 3.5 and it didn't find anything. Had to restart my computer eventually for some install/reinstall of all these virus programs, though, and when I did, AVG's resident shield started going crazy with tracking cookies, so I rescanned with AVG and this time it found several trojan horse viruses and removed/virus vaulted them. Still having the redirect issue though. Also, think it has disabled my firewall or something. Tried to restore firewall settings and it won't let me.

At this point I found this forum and made a backup disc and tried to register but I guess something is blocking my login because I can't log in on that computer. I downloaded Hijack this, but didn't run it because of the warnings provided here not to use that or combofix without professional support.

That's pretty much up to the point where I'm at now. Any help you could provide would be much appreciated!

Thanks a lot.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:25 PM

Posted 05 October 2011 - 03:49 PM

Hello. lets do these and see how it is after. First we'll try the connection.
We will also try Safe Mode with Networking.
If no joy all these can be run of a Flash Drive or CD.

Please click Start > Run, type inetcpl.cpl in the runbox and press enter.
Click the Connections tab and click the LAN settings option.
Verify if "Use a proxy..." is checked, if so, UNcheck it and click OK/OK to exit.
Now check if the internet is working again.

OR

Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.


Reboot into Safe Mode with Networking
How to start Windows 7 in Safe Mode

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.



Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.6.4.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.



Now run RKill....
Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, [color="#8B0000"]Post new scan log
and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 thykarmabenill

thykarmabenill
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 06 October 2011 - 08:39 AM

Have started going through and doing these steps.

I was wondering, though, should I run tdsskiller and rkill still in safe mode with networking or go back to normal to run those? Because my antivirus isn't on anyway in safe mode... Sorry for dumb question.

#4 thykarmabenill

thykarmabenill
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 06 October 2011 - 10:13 AM

First off, thanks so much for your time and effort in helping me!

Here are the results of these actions you suggested:

LAN settings - use a proxy was not checked

netsh winsock reset - didn't work, said this: The following helper DLL can't be loaded: WSHELPER.DLL
The following command was not found: winsock reset

Gah, I still can't log on to this forum on the computer in question. It redirects me to a site with popups when I try to hit login. Is it safe for me to email the logs of the scans to myself and access them on my laptop or would I risk infecting it as well?

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:25 PM

Posted 06 October 2011 - 10:49 AM

The logs are safe they are only indicating the presence and location of malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 thykarmabenill

thykarmabenill
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 06 October 2011 - 12:33 PM

Okay here are logs:

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size.
List Minidump Files


MiniToolBox by Farbar
Ran by Kimberly (administrator) on 06-10-2011 at 08:15:52
Windows 7 Home Premium Service Pack 1 (X64)

***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

Hosts file not detected in the default directory
========================= IP Configuration: ================================The following helper DLL cannot be loaded: WSHELPER.DLL.


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Kimberly-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
Physical Address. . . . . . . . . : 00-19-66-E9-E5-67
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::7cbd:3093:8239:8ae3%9(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.102(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, October 06, 2011 8:02:20 AM
Lease Expires . . . . . . . . . . : Friday, October 07, 2011 8:02:20 AM
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DHCPv6 IAID . . . . . . . . . . . : 184555878
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-2D-F1-1A-00-19-66-E9-E5-67
DNS Servers . . . . . . . . . . . : 97.64.183.164
97.64.209.37
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{4651AA02-23E3-459A-A9CB-981A9438CA8E}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter 6TO4 Adapter:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Pinging google.com [74.125.73.106] with 32 bytes of data:
Reply from 74.125.73.106: bytes=32 time=32ms TTL=48
Reply from 74.125.73.106: bytes=32 time=30ms TTL=50

Ping statistics for 74.125.73.106:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 30ms, Maximum = 32ms, Average = 31ms

Pinging yahoo.com [72.30.2.43] with 32 bytes of data:
Reply from 72.30.2.43: bytes=32 time=64ms TTL=51
Reply from 72.30.2.43: bytes=32 time=64ms TTL=51

Ping statistics for 72.30.2.43:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 64ms, Maximum = 64ms, Average = 64ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
9...00 19 66 e9 e5 67 ......Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
1...........................Software Loopback Interface 1
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
10...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
12...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.102 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.102 276
192.168.0.102 255.255.255.255 On-link 192.168.0.102 276
192.168.0.255 255.255.255.255 On-link 192.168.0.102 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.102 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.102 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
9 276 fe80::/64 On-link
9 276 fe80::7cbd:3093:8239:8ae3/128
On-link
1 306 ff00::/8 On-link
9 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134528] (Microsoft Corporation)
Catalog5 06 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134528] (Microsoft Corporation)
Catalog5 07 mswsock.dll [File Not found] ()
Catalog5 08 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 09 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 mswsock.dll [File Not found] ()
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304] (Microsoft Corporation)
x64-Catalog5 06 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304] (Microsoft Corporation)
x64-Catalog5 07 mswsock.dll [File Not found] ()
x64-Catalog5 08 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 09 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
x64-Catalog9 01 mswsock.dll [File Not found] ()
x64-Catalog9 02 mswsock.dll [File Not found] ()
x64-Catalog9 03 mswsock.dll [File Not found] ()
x64-Catalog9 04 mswsock.dll [File Not found] ()
x64-Catalog9 05 mswsock.dll [File Not found] ()
x64-Catalog9 06 mswsock.dll [File Not found] ()
x64-Catalog9 07 mswsock.dll [File Not found] ()
x64-Catalog9 08 mswsock.dll [File Not found] ()
x64-Catalog9 09 mswsock.dll [File Not found] ()
x64-Catalog9 10 mswsock.dll [File Not found] ()
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/06/2011 08:03:59 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/06/2011 07:44:43 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/05/2011 03:58:06 PM) (Source: Bonjour Service) (User: )
Description: mDNSCoreMachineSleep: mDNS_Unlock: Locking failure! mDNS_busy (1) != mDNS_reentrancy (0)

Error: (10/05/2011 03:58:06 PM) (Source: Bonjour Service) (User: )
Description: mDNSCoreMachineSleep: mDNS_Lock: Locking failure! mDNS_busy (1) != mDNS_reentrancy (0)

Error: (10/05/2011 03:07:32 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/05/2011 02:58:08 PM) (Source: Bonjour Service) (User: )
Description: mDNSCoreMachineSleep: mDNS_Unlock: Locking failure! mDNS_busy (1) != mDNS_reentrancy (0)

Error: (10/05/2011 02:58:08 PM) (Source: Bonjour Service) (User: )
Description: mDNSCoreMachineSleep: mDNS_Lock: Locking failure! mDNS_busy (1) != mDNS_reentrancy (0)

Error: (10/05/2011 02:10:09 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (10/05/2011 00:42:08 PM) (Source: Application Error) (User: )
Description: Faulting application name: ping.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc964
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x3569cc79
Faulting process id: 0x1358
Faulting application start time: 0xping.exe0
Faulting application path: ping.exe1
Faulting module path: ping.exe2
Report Id: ping.exe3

Error: (10/05/2011 00:33:15 PM) (Source: Bonjour Service) (User: )
Description: mDNSCoreMachineSleep: mDNS_Unlock: Locking failure! mDNS_busy (1) != mDNS_reentrancy (0)


System errors:
=============
Error: (10/06/2011 08:07:46 AM) (Source: DCOM) (User: )
Description: 1068fdPHost{D3DCB472-7261-43CE-924B-0704BD730D5F}

Error: (10/06/2011 08:07:46 AM) (Source: DCOM) (User: )
Description: 1068fdPHost{145B4335-FE2A-4927-A040-7C35AD3180EF}

Error: (10/06/2011 08:02:40 AM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (10/06/2011 08:02:38 AM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:
%%1068

Error: (10/06/2011 08:02:38 AM) (Source: DCOM) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (10/06/2011 08:02:37 AM) (Source: DCOM) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (10/06/2011 08:02:36 AM) (Source: DCOM) (User: )
Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (10/06/2011 08:02:30 AM) (Source: DCOM) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (10/06/2011 08:02:22 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Avgldx64
Avgmfx64
discache
spldr
Wanarpv6

Error: (10/06/2011 08:02:21 AM) (Source: Service Control Manager) (User: )
Description: The Windows Firewall service depends on the Windows Firewall Authorization Driver service which failed to start because of the following error:
%%183


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

Update for Microsoft Office 2007 (KB2508958)
Acrobat.com (Version: 0.0.0)
Acrobat.com (Version: 1.1.377)
Adobe Flash Player 10 ActiveX (Version: 10.1.53.64)
Adobe Flash Player 11 Plugin (Version: 11.0.1.152)
Adobe Reader 9.3.2 (Version: 9.3.2)
Amazon Unbox Video (Version: 2.1.0.124)
AMD Fusion for Gaming Beta (Version: 1.0.0)
APC PowerChute Personal Edition 3.0 (Version: 3.0)
Apple Application Support (Version: 2.0.1)
Apple Mobile Device Support (Version: 3.4.1.2)
Apple Software Update (Version: 2.1.3.127)
ASRock IES
ASRock InstantBoot
ATI Catalyst Install Manager (Version: 3.0.736.0)
AVG 2012 (Version: 12.0.1809)
AVG 2012 (Version: 12.0.2085)
AVG 2012 (Version: 2012.0.1809)
AVG PC Tuneup 2011 (Version: 10.0.0.26)
Bonjour (Version: 3.0.0.2)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center Core Implementation (Version: 2009.0714.2132.36830)
Catalyst Control Center Graphics Full Existing (Version: 2009.0714.2132.36830)
Catalyst Control Center Graphics Full New (Version: 2009.0714.2132.36830)
Catalyst Control Center Graphics Light (Version: 2009.0714.2132.36830)
Catalyst Control Center Graphics Previews Common (Version: 2009.0714.2132.36830)
Catalyst Control Center Graphics Previews Vista (Version: 2009.0714.2132.36830)
Catalyst Control Center HydraVision Full (Version: 2009.0714.2132.36830)
Catalyst Control Center InstallProxy (Version: 2009.0714.2132.36830)
ccc-core-static (Version: 2009.0714.2132.36830)
ccc-utility64 (Version: 2009.0714.2132.36830)
CCC Help English (Version: 2009.0714.2131.36830)
CDDRV_Installer (Version: 4.60)
Click to Call with Skype (Version: 5.5.8013)
Conduit Engine (Version: )
Coupon Printer for Windows (Version: 5.0.0.1)
EPSON Printer Software
EPSON Scan
erLT (Version: 1.20.137.31)
Garden Composer 2005 (Version: 8.0)
Garden Planner 2.5 (Version: 2.5)
Google Talk (remove only)
Google Talk Plugin (Version: 2.3.2.0)
Hitman Pro 3.5 (Version: 3.5.9.130)
HL-2270DW (Version: 1.0.5.0)
ImagXpress (Version: 7.0.74.0)
iTunes (Version: 10.4.1.10)
Java Auto Updater (Version: 2.0.2.4)
Java™ 6 Update 21 (Version: 6.0.210)
KhalInstallWrapper (Version: 2.00.0000)
Logitech SetPoint (Version: 4.80)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Excel Viewer 2003 (Version: 11.0.8173.0)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6425.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Standard 2007 (Version: 12.0.6425.1000)
Microsoft Office Standard 2007 Trial (Version: 12.0.6425.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Silverlight (Version: 4.0.60531.0)
Microsoft VC9 runtime libraries (Version: 1.0.0)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175 (Version: 8.0.51011)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.50727.42)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
MobileMe Control Panel (Version: 3.1.6.0)
Mobipocket Reader 6.2 (Version: 6.2.608)
Mozilla Firefox 7.0.1 (x86 en-US) (Version: 7.0.1)
MSVC80_x64_v2 (Version: 1.0.3.0)
MSVC80_x86_v2 (Version: 1.0.3.0)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
neroxml (Version: 1.0.0)
Nokia Connectivity Cable Driver (Version: 7.1.36.0)
Nokia PC Suite (Version: 7.1.60.0)
NOOK for PC (Version: 2.5.4.7070)
OpenOffice.org 3.1 (Version: 3.1.9420)
PC Connectivity Solution (Version: 10.50.2.0)
PuTTY version 0.60 (Version: 0.60)
QuickTime (Version: 7.70.80.34)
Razer Lycosa (Version: 1.00.0000)
Realtek 8169 8168 8101E 8102E Ethernet Driver (Version: 1.00.0000)
Realtek High Definition Audio Driver
Safari (Version: 5.34.50.0)
Skype™ 5.5 (Version: 5.5.113)
TuneUp Companion 2.2.3 (Version: 2.2.3)
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2553110)
Ventrilo Client for Windows x64 (Version: 3.0.5.0)
Visual C++ 8.0 Runtime Setup Package (x64) (Version: 9.0.0.623)
Visual Studio 2008 x64 Redistributables (Version: 10.0.0.2)
VLC media player 1.0.1 (Version: 1.0.1)
Vuze (Version: 4.6)
Vuze Remote Toolbar (Version: 6.1.0.7)
Windows Driver Package - Nokia Modem (06/09/2010 7.01.0.8) (Version: 06/09/2010 7.01.0.8)
Windows Driver Package - Nokia Modem (10/07/2010 4.6) (Version: 10/07/2010 4.6)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0) (Version: 08/22/2008 7.0.0.0)
Windows Live ID Sign-in Assistant (Version: 6.500.3165.0)
Windows Media Player Firefox Plugin (Version: 1.0.0.8)
WinRAR archiver
World of Warcraft (Version: 4.1.0.14007)

========================= Memory info: ===================================

Percentage of memory in use: 10%
Total physical RAM: 6143.24 MB
Available physical RAM: 5506.6 MB
Total Pagefile: 12284.68 MB
Available Pagefile: 11697.63 MB
Total Virtual: 4095.88 MB
Available Virtual: 3991.23 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:465.76 GB) (Free:375.44 GB) NTFS

========================= Users: ========================================

User accounts for \\KIMBERLY-PC

Administrator Guest Kimberly

========================= Minidump Files ==================================

No minidump file found

**** End of log ****

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.6.4.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.
If TDSSKiller does not run, try renaming it.
To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
Click the Start Scan button.
Do not use the computer during the scan
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
Copy and paste the contents of that file in your next reply.



08:22:54.0518 1972 TDSS rootkit removing tool 2.6.5.0 Oct 5 2011 20:52:46
08:22:56.0518 1972 ============================================================
08:22:56.0518 1972 Current date / time: 2011/10/06 08:22:56.0518
08:22:56.0518 1972 SystemInfo:
08:22:56.0518 1972
08:22:56.0518 1972 OS Version: 6.1.7601 ServicePack: 1.0
08:22:56.0518 1972 Product type: Workstation
08:22:56.0518 1972 ComputerName: KIMBERLY-PC
08:22:56.0518 1972 UserName: Kimberly
08:22:56.0518 1972 Windows directory: C:\Windows
08:22:56.0518 1972 System windows directory: C:\Windows
08:22:56.0518 1972 Running under WOW64
08:22:56.0518 1972 Processor architecture: Intel x64
08:22:56.0518 1972 Number of processors: 4
08:22:56.0518 1972 Page size: 0x1000
08:22:56.0518 1972 Boot type: Safe boot with network
08:22:56.0518 1972 ============================================================
08:22:57.0331 1972 Initialize success
08:23:07.0956 1580 Deinitialize success

Now run RKill....
Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

RKill ran as described and did not terminate anything

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, [color="#8B0000"]Post new scan log and Reboot into normal mode.


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7884

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

10/6/2011 8:59:21 AM
mbam-log-2011-10-06 (08-59-21).txt

Scan type: Quick scan
Objects scanned: 177643
Time elapsed: 1 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Temp\9b88.exe (Rootkit.0Access) -> Quarantined and deleted successfully.

I got excited when it removed a root kit but when I booted up normally AVG found some more trojans and got rid of them. Then it said it blocked some threats from my computer, I think they were from PING.Exe in SysWOW or something like that. There wasn't a log for me to see it. And so I ran MBAM again, here's that log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7884

Windows 6.1.7601 Service Pack 1 (Safe Mode)
Internet Explorer 9.0.8112.16421

10/6/2011 9:08:59 AM
mbam-log-2011-10-06 (09-08-59).txt

Scan type: Quick scan
Objects scanned: 177670
Time elapsed: 1 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\2600 (Trojan.Agent) -> Value: 2600 -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\local settings\Temp\545effff.com (Trojan.Agent) -> Quarantined and deleted successfully.

Then when I rebooted and ran MBAM again it found the same Trojan.Agent at that 2600 place and said delete on reboot again. It can't seem to get rid of that one. =/

Where do we go from here?

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:25 PM

Posted 06 October 2011 - 12:50 PM

Hmmm I cannot see why TDDS pased it and MBAM found a Z acces to remove..
Is this a 32 or 64 bit system?

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 thykarmabenill

thykarmabenill
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 06 October 2011 - 12:55 PM

It's 64 bit, sorry, probably should have said that before. I will try the ESET scanner.

#9 thykarmabenill

thykarmabenill
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 06 October 2011 - 02:48 PM

ESET scan log:

C:\$Recycle.Bin\S-1-5-21-1962503011-1622924913-1907608278-1000\$ROWAUQ8.exe a variant of Win32/InstallCore.C application cleaned by deleting - quarantined
C:\Users\Kimberly\AppData\Local\Temp\ICReinstall\cnet_HitmanPro35_exe.exe a variant of Win32/InstallCore.C application cleaned by deleting - quarantined
C:\Users\Kimberly\AppData\Local\Temp\ICReinstall\cnet_HitmanPro35_x64_exe.exe a variant of Win32/InstallCore.C application cleaned by deleting - quarantined
C:\Users\Kimberly\AppData\Local\Temp\is1598539481\zgInstaller.exe a variant of Win32/Toolbar.Zugo application deleted - quarantined
C:\Users\Kimberly\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\111005071356964.rsc multiple threats deleted - quarantined
C:\Users\Kimberly\Downloads\cnet_HitmanPro35_x64_exe.exe a variant of Win32/InstallCore.C application cleaned by deleting - quarantined
C:\Users\Kimberly\Downloads\registrybooster.exe a variant of Win32/RegistryBooster application deleted - quarantined
C:\Windows\assembly\tmp\U\80000032.@ a variant of Win32/Olmarik.AVQ trojan cleaned by deleting - quarantined

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:25 PM

Posted 06 October 2011 - 03:54 PM

Ok, we need to update Java and Adobe Reader.... Are you still redirecting after this??

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


Similarly Update to Adobe Reader X (10.1.0)
Note UN check the box so you do not install the toolbar,unless you really want it..

Free! Google Toolbar search Google from any web page, block pop-ups

Yes, install Google Toolbar - optional

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 thykarmabenill

thykarmabenill
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 07 October 2011 - 12:50 PM

I updated Java and Adobe Reader as you directed and ran a few scans again. ESET removed a few more viruses, and AVG found and removed another one. MBAM still keeps finding that same registry value problem that it can't fix. And unfortunately, still redirecting. Do you want logs of what those scans found/removed?

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:25 PM

Posted 07 October 2011 - 03:31 PM

We obviously have a deeper lurking malware that will require some special tools.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,963 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:25 PM

Posted 13 October 2011 - 01:36 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic422991.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users