Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirects, MyWebSearch and security issues


  • This topic is locked This topic is locked
5 replies to this topic

#1 PyroTurtle

PyroTurtle

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 03 June 2012 - 06:12 PM

Hello, my computer has been having quite a few problems in the past few months. I am running Windows 7 64-bit Home Premium, with Windows Defender, Malwarebytes Anti-Malware and Kaspersky Internet Security 2012. I was running Trend Micro AntiVirus plus AntiSpyware, but I swapped it for Kaspersky. My apologies if the information from April is a bit fuzzy.

Back in early April, I caught a trojan, which I thought had been removed by Windows Defender (sadly, when I try to view the action history for Defender, it is blank, so I cannot recover the as is the quarantine). I don't think this is related to my larger problem, but it's probably a good idea to know this happened.

Several weeks later, when I was using Google, I was redirected to a website called Happili. I was very confused. This happened several other times that day. I ran a scan with Defender after the second redirect from Google to Happili, and caught a trojan. I ran scans after every redirect after this, and sure enough, I found another trojan the same day following the redirect.

Trend Micro began to give warnings about unauthorized changes. Here are a few of them, I believe the one from April 21st is the first one.

"Virus Scan Logs" "4/21/2012" ""
"Time" "Type" "Sub Type" "Detected Resource or Process ID" "Affected File" "Action Taken" "Company ID" "Types" "Policy Violated"
"15:53" "" "" "HKU\S-1-5-21-1134663700-2098254738-984184476-1004\Software\Microsoft\Windows\CurrentVersion\Run" "winkbj" "Unknown" "" "" "New Startup Program"

"Virus Scan Logs" "4/28/2012" ""
"Time" "Type" "Sub Type" "Detected Resource or Process ID" "Affected File" "Action Taken" "Company ID" "Types" "Policy Violated"
"16:47" "" "" "\" "18623814" "Unknown" "" "" "New Service"
"16:38" "" "" "\" "73990997" "Unknown" "" "" "New Service"
"14:10" "" "" "HKLM\Software\WOW6432NODE\Microsoft\Windows\CurrentVersion\RunOnce" "Malwarebytes Anti-Malware (cleanup)" "Unknown" "" "" "New Startup Program"

"Virus Scan Logs" "4/29/2012" ""
"Time" "Type" "Sub Type" "Detected Resource or Process ID" "Affected File" "Action Taken" "Company ID" "Types" "Policy Violated"
"12:36" "" "" "\" "35103152" "Unknown" "" "" "New Service"
"12:33" "" "" "\" "81760841" "Unknown" "" "" "New Service"
"12:08" "" "" "\" "83253026" "Unknown" "" "" "New Service"
"12:07" "" "" "\" "02599413" "Unknown" "" "" "New Service"


I ran a Malwarebytes scan on April 28th and caught some malware. The detected files and actions are below. (The asterisks are a username on the computer.)

C:\Users\*******\AppData\Roaming\Adorza\biadu.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Users\user1\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0ZHOLQO2\RadioRage[1].exe (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\Users\user1\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1LZC7JO8\RadioRage[1].exe (PUP.FunWebProducts) -> Quarantined and deleted successfully.

Malwarebytes also has an undated quarantine on the "potentially unwanted modification", shown below.

Vendor: PUM.Hijack.StartMenu
Date: (not listed)
Category: Registry Data
Item: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch


As Trend Micro continued to give me warnings about unauthorized changes, I noticed that the source file had the same folder location everytime. It was located in a Windows folder, but the driver number and program number/name changed everytime. This led me to believe I had a rootkit, so I used TDSS Killer. It found 6 files on May 6th, and they were quarantined. Looking back from a TDSS quarantine folder from last Wednesday, it oddly gives 11 threats, although I thought the scan had found 6.

I ran a TDSS scan today, and found 6 threats, which I copied and quarantined. They were found with the parameters "Verify file digital signatures" and "Detect TDLFS file system". All of them were labled as "Unsigned files" that were suspicious objects with medium risk:

18:27:18.0358 2432 Detected object count: 6
18:27:18.0358 2432 Actual detected object count: 6
18:32:33.0120 2432 C:\Program Files\Dell\DellDock\DockLogin.exe - copied to quarantine
18:32:33.0120 2432 DockLoginService ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
18:32:33.0229 2432 C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll - copied to quarantine
18:32:33.0229 2432 hpqcxs08 ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
18:32:33.0244 2432 C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll - copied to quarantine
18:32:33.0260 2432 hpqddsvc ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
18:32:33.0354 2432 C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL - copied to quarantine
18:32:33.0354 2432 HPSLPSVC ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
18:32:33.0588 2432 C:\Windows\system32\HPZinw12.dll - copied to quarantine
18:32:33.0588 2432 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
18:32:33.0603 2432 C:\Windows\system32\HPZipm12.dll - copied to quarantine
18:32:33.0603 2432 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Quarantine

Towards the beginning of May, I used Microsoft Malicious Software Removal Tool. It found two trojans, named Medfos.A and Medfos.B, which I believe were removed. I have not experienced any redirects from this point onward. By May 6th, I replaced Trend Micro AV plus AS with Kaspersky Internet Security 2012.

Kaspersky found 6 trojans, and the Internet Explore 9 add-ons for Sun Microsystems, Inc. disappeared with them. Kaspersky has them in its backup storage. The trojans were all found in AppData\LocalLow\Sun\Deployment\cache\6.0 folders. The file names were number and letter jumbles, but Kaspersky listed all of them as Exploit.Java.CVE-2010-4452.a.

However, problems still linger. Internet Explorer 9 has add-ons I am suspicious of. I have disabled one from Mindspark Interactive Network. The file date is listed as April 4, 2012, but it says it was last accessed in 1999, and that can't be true. Java Plug-In SSV Helper and Java Plug-In 2 SSV Helper also have file dates from April 4, 2012, and have been disabled.

I was plagued by misspelled Skype update pop-ups in the past, and I disabled the two add-ons I thought were associated with them, "Skype Browser Helper" and "Skype Click to Call", although it appears that they have been accessed even though they have been disabled, as the last access date is today, and I disabled them weeks ago.

The add-on, "Discuss", does not give a file date, but it says its last access date is also from 1999. Shockwave ActiveX Control, with a file date from April 26, 2012, also has the 1999 date. The Shockwave add-on is listed as a downloaded control. Both are still enabled.

Another annoying problem is that the windows I have open will change when I simply mouse over them, compared to clicking the window or changing after a delay. This never happened before all these problems.

The files in Kasperksy's storage, Malwarebytes' quarantine, and TDSS Killer's quarantine remain untouched. Kaspersky identifies system vulnerablitiles from an Adobe Flash Player application in my HP printer folder and an Shockwave application. I have found a folder in my Program Files (x86) called RadioRage_4jEI with 3 DLLs in it. This seems to be related some of the related files. I have also found MyWebSearch in Kaspersky's logs, but I can't seem to find an action to perform on it. IE9 also occasionally starts copying windows of itself on its own. A security update for Microsoft Works 9, listed as KB2680317, as failed to update many times.

Please help, and thank you in advance.

Edited by PyroTurtle, 03 June 2012 - 06:27 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:10 PM

Posted 03 June 2012 - 06:27 PM

Hello, the best thing to do with all this is to repost this info with a DDS log so we can finf it all.

We need a deeper look. Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run (it may not on a 64 bit system) skip it and move on.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 PyroTurtle

PyroTurtle
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 07 June 2012 - 08:24 PM

Will I need to back up my data first, as the prep guide recommends? Many thanks for responding so quickly, and my apologies for not checking this sooner.

Also, I suspect my other laptop has been affected, I found add-ons for Sun Microsystems, Inc, claiming to be Java. I disabled them all. That laptop (Windows 7) is running Kaspersky AV. I'm worried about these problems spreading to a third desktop PC (Windows XP), running Kaspersky IS, as well. I'll run the DDS log once I know whether to back up the data or not, but is there a possibility this could spread to the other computers on my wireless network?

Again, thank you!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:10 PM

Posted 07 June 2012 - 08:40 PM

We ask this as there is always a risk in malware removal and we do nit want you to lose anything valuable due to a malware reaction.


Do you want to scan the W7 Comp here,in this topic?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 PyroTurtle

PyroTurtle
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 12 June 2012 - 01:14 PM

Just copied any important files onto a USB for the Windows 7 laptop with the initial problems.

Malwarebytes actually found the same PUM.Hijack.StartMenu on the other Windows 7 computer, too.

I posted the logs, GMER came up clean, I'm not sure about DDS. The topic link is below:

http://www.bleepingcomputer.com/forums/topic456787.html

Edited by PyroTurtle, 12 June 2012 - 03:27 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:10 PM

Posted 12 June 2012 - 08:49 PM

Thank you!!
files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

The current wait time is 1 - 3 days and ALL logs are answered.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users