Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I infected with a redirect virus/trojan?


  • This topic is locked This topic is locked
27 replies to this topic

#1 RHinOH

RHinOH

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 07 December 2011 - 04:47 PM

First, my system:
Old Dell Inspiron Laptop I6400
Microsoft Windows XP
Media Center Edition
Version 2002
Service Pack 3

At the time of the possible infection I was running Avira Antivir Free. I was using Internet Explorer 8.

Next, the symptoms (what I saw):
I was searching in yahoo looking for anything to help my Dad with a cell phone problem. I had clicked on multiple links to sites relating to that - cell phone sites, forums, etc.. Everything seemed ok. Then on my next click I found myself with a popup window that said "Please Wait! We check your devices" and a full normal sized browser window that appeared to be scanning my computer. Looking at my browser history, it looks like the "Please wait! We check your devices" came from 89.187.50.129 and the other window was 62.122.74.109. I see two other websites in my browser history from yesterday that I don't recognize. I don't know if a site I went to led me there, or if they are further sign of infection. 20732.c.evoplus and 21291.hit75.namiflow.

What I immediately did last night:
I tried clicking the x in the top of each window and nothing happened, so I brought up task manager and killed all applications running at the time. All internet explorers went away along with everything else. I ran the Avast Antivir Free. It cleaned up some cookies but did nothing else. However, I needed to shut down for the night and didn't let it finish.

What I did today:
My husband had said that he thought we should get better virus protection and last week had brought home Symantec Endpoint Protection from work. I uninstalled Avast Antivir Free and installed the Symantec Endpoint Protection. I did a whole computer scan. It quarantined one cookie and all of the following that it identified as trojans: gogol/Emailer.class, gogol/Familie.class, gogol/PhonBook.class, Is.class, MyName.class, Phone.class, and two compressed files (names are a mix of letters and numbers, 8 characters - 8 characters). It struck me as odd that it took 3 hours and said I have over 500,000 files on the computer. When I looked myself it looks like I have only over 100,000.

I have been using google and yahoo all day today trying to find a connection between these quarantined trojans and the behavior I saw yesterday. I've not found a connection. I've seen no strange popups and no strange redirects. The link I click on from my yahoo and google searches is what I go to.

So....given this.....does it mean I avoided infection by killing the two windows with task manager? Or am I infected and just haven't seen more signs of it yet?

If infected I know that I'll be moved to another forum for fix....if that happens it will be Sunday afternoon before I can take the first corrective action. I figured everyone is busy so it would be at least a few days before anyone got back with me. Thanks in advance for the help.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:59 AM

Posted 07 December 2011 - 08:27 PM

Hello and welcome.
We should know after this.
Did your compressed files look like this>> 3203397148:3809022017.exe


Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed



Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 RHinOH

RHinOH
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 08 December 2011 - 02:38 PM

Thanks Boopme. You asked me what those compressed file names looked like. I hadn't written them down but found them in a Symantec log file. They were:

3534cc33-3d7bf107
4f427469-3e836135

They don't show an extension on the file name. It shows them as a trojan horse. The other 6 trojan horse files (posted earlier) all ended in extension .class. They were apparently part of the compressed files (3 in each). It says one compressed file was under Application Data\Sun\Java\Deployment\cache\6.0\41 and the other under the same, but ending in 51.

This reminds me - after this happened, an article I read indicated that I should have only one version of java, the latest. So I upgraded my java and deleted all old versions via add/remove programs. I did all this *after* this all happened and after Symantec did the above cleanup.

I'll reply to your other two requests in two other separate posts to avoid confusion in the log files.

#4 RHinOH

RHinOH
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 08 December 2011 - 02:45 PM

MiniToolBox output:

<removed output now that Boopme has looked and responded - I'm embarrassed about what a mess my computer is with so much old unused junk!>

Edited by RHinOH, 08 December 2011 - 09:45 PM.


#5 RHinOH

RHinOH
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 08 December 2011 - 02:51 PM

Trying to add this as a separate post - for some reason it combined it with the previous on my first attempt.

MalwareBytes:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8331

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/7/2011 10:27:26 PM
mbam-log-2011-12-07 (22-27-26).txt

Scan type: Quick scan
Objects scanned: 221443
Time elapsed: 12 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\URLSearchHook.SoftomateURLSearchHook (Adware.Softomate) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:59 AM

Posted 08 December 2011 - 04:21 PM

Ok, we did find one.. lets see if there are more with one more scan.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 RHinOH

RHinOH
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 09 December 2011 - 09:28 AM

ESET Online Scan output:

C:\Documents and Settings\regina\Local Settings\Temp\ICReinstall\cnet_solidpdfcreator_free_exe[1].exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
C:\Documents and Settings\regina\Local Settings\Temp\is1598539481\zgInstaller.exe a variant of Win32/Toolbar.Zugo application deleted - quarantined
C:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll probably a variant of Win32/Adware.Softomate.AA application cleaned by deleting - quarantined
C:\Program Files\AOL Security Toolbar\tbuD\AOL_security_toolbar.dll probably a variant of Win32/Adware.Softomate.AA application cleaned by deleting - quarantined




I have 3 questions: Have we found anything so far that would explain why I was suddenly taken from my yahoo search results to that crazy "Please wait. We check your devices." stuff ? I suspect that AOL_security_toolbar.dll above is related to the deleted registry key in the other scan, since both say something about Adware.Softomate.

Also, I haven't signed onto any of my webmail accounts (yahoo, etc.) from this computer for fear that if my computer is infected, my email accounts might get hacked. Do you think it is safe to sign onto my email accounts now?

Finally, that solidpdfcreator I see above I had installed for a job a month or two ago. Is solidpdfcreator bad, or just the installer?

Thanks!

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:59 AM

Posted 09 December 2011 - 04:13 PM

I would think it was the Search hook removed by MBAM.. Yes toolbars are generall spyware/asware so i always remove them.

Can you PM me the MINI Toolbox again,from post 2.

Are you on a router?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 RHinOH

RHinOH
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 10 December 2011 - 08:13 PM

Yes, we have a router.

I will PM you the MINI Toolbox. Thanks!

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:59 AM

Posted 10 December 2011 - 11:35 PM

I meant to also ask this about the router,,Are other machines on it,if so are they redirecting?

Do you use Firefox?


Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.


How is it running now?

Edited by boopme, 10 December 2011 - 11:36 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 RHinOH

RHinOH
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 11 December 2011 - 09:41 PM

There are other machines on the router and I've not seen redirects on them.

I have not seen any redirects since you had me do all this cleanup. It seems to be running fine now.

I do use Firefox only when I need to use check4change on a work related website. I don't use it for any other kinds of browsing.

I need to get some work done right now. I will run the TDSSKiller tomorrow. Thanks for the help.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:59 AM

Posted 11 December 2011 - 09:48 PM

OK, cool.. let me see that log tomorrow.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 RHinOH

RHinOH
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 12 December 2011 - 08:57 PM

drats drats drats.

Last night while browsing some yahoo results I had a result pull up and then immediately try to redirect to that same bogus ip address - 62.122.74.109. Avira hadn't caught it the first time, but symantec endpoint protection did catch it this time and wouldn't let me go there.

I'll get you the tdsskiller output. I'm going to run Malware Bytes and ESET again first to see if they catch something reinfected that they already cleared. I'll put that output here too.

#14 RHinOH

RHinOH
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 12 December 2011 - 09:57 PM

Rerun of malware bytes found nothing. It took so long to run because I was also searching for files with that bogus IP address at the same time.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8331

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/12/2011 9:55:34 PM
mbam-log-2011-12-12 (21-55-33).txt

Scan type: Quick scan
Objects scanned: 221818
Time elapsed: 48 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 RHinOH

RHinOH
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 13 December 2011 - 06:39 AM

Rerun of ESET found no threats at all.

Today I'm off work - will run the TDSSkiller and rerun my symantec endpoint protection scan also.

I was wondering if I was disinfected and then somehow became infected again, since I didn't see the redirect for days but then saw it again Sunday night. In that case I would expect something to find the re-infection. So far, nothing has.

Can these redirect viruses/trojans only redirect every once in a while? Maybe I was never disinfected - it was just lying in wait to appear again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users