Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ads in corner of browser and redirects


  • Please log in to reply
4 replies to this topic

#1 TheValiantPixel

TheValiantPixel

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 23 December 2012 - 01:20 AM

Every time I load a page, I get an ad in the lower right corner of my browser. It doesn't matter what browser I use, happens in Chrome, Firefox, and IE. Also, I get redirected to a new page every few times I load a page. The ads are generally tailored to have something to do with the webpage I'm currently on. When I am being redirected, it doesn't go straight to the site I end up at; it goes to a webpage first and then pushes me to the ad site. I've run a few Malwarebytes scans, and they have came up with nothing. Please help me?

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:06 PM

Posted 23 December 2012 - 10:01 PM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here.If you get crashes in normal mode,run it in safemode with networking

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#3 TheValiantPixel

TheValiantPixel
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 24 December 2012 - 06:33 PM

Thanks for the reply. Here's the lists:

aswMBR

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-12-24 11:11:50
-----------------------------
11:11:50.239 OS Version: Windows x64 6.1.7601 Service Pack 1
11:11:50.239 Number of processors: 8 586 0x1E05
11:11:50.239 ComputerName: GARRETT-LATOP UserName: Garrett
11:11:51.955 Initialize success
11:11:52.049 AVAST engine defs: 12122401
11:11:54.732 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
11:11:54.748 Disk 0 Vendor: SAMSUNG_ 2AJ1 Size: 610480MB BusType: 3
11:11:54.795 Disk 0 MBR read successfully
11:11:54.795 Disk 0 MBR scan
11:11:54.795 Disk 0 unknown MBR code
11:11:54.841 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
11:11:54.857 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 592748 MB offset 206848
11:11:54.919 Disk 0 Partition 3 00 27 Hidden NTFS WinRE NTFS 17629 MB offset 1214154752
11:11:55.029 Disk 0 scanning C:\Windows\system32\drivers
11:12:09.365 Service scanning
11:12:25.074 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
11:12:30.363 Modules scanning
11:12:30.378 Disk 0 trace - called modules:
11:12:30.909 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys spws.sys hal.dll
11:12:30.924 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800499e790]
11:12:30.924 3 CLASSPNP.SYS[fffff88001a1743f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004701050]
11:12:32.500 AVAST engine scan C:\Windows
11:12:42.702 AVAST engine scan C:\Windows\system32
11:15:38.811 AVAST engine scan C:\Windows\system32\drivers
11:15:49.606 AVAST engine scan C:\Users\Garrett
11:31:53.003 File: C:\Users\Garrett\AppData\Local\Temp\la12.exe **INFECTED** Win32:Kryptik-JQC [Trj]
11:35:23.959 File: C:\Users\Garrett\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\206f61da-2b07a550 **INFECTED** Win32:Kryptik-JQC [Trj]
11:49:33.703 Disk 0 MBR has been saved successfully to "C:\Users\Garrett\Desktop\MBR.dat"
11:49:33.719 The log file has been saved successfully to "C:\Users\Garrett\Desktop\aswMBR.txt"

ESET Online Scanner

C:\Users\All Users\Microsoft\Windows\DRM\1BCD.tmp Win64/Olmarik.AD trojan unable to clean
C:\Users\All Users\Microsoft\Windows\DRM\1C0C.tmp Win64/Olmarik.AD trojan unable to clean
C:\Users\All Users\TorrentEasy\extensions.exe a variant of Win32/Adware.GoodMedia.C application unable to clean
C:\ProgramData\Microsoft\Windows\DRM\1BCD.tmp Win64/Olmarik.AD trojan cleaned by deleting - quarantined
C:\ProgramData\Microsoft\Windows\DRM\1C0C.tmp Win64/Olmarik.AD trojan cleaned by deleting - quarantined
C:\ProgramData\TorrentEasy\extensions.exe a variant of Win32/Adware.GoodMedia.C application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\24.12.2012_10.33.17\tdlfs0000\tsk0000.dta Win32/Olmarik.AYI trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\24.12.2012_10.33.17\tdlfs0000\tsk0001.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\24.12.2012_10.33.17\tdlfs0001\tsk0000.dta Win32/Olmarik.AYI trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\24.12.2012_10.33.17\tdlfs0001\tsk0001.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\24.12.2012_10.33.17\tdlfs0001\tsk0002.dta Win32/Olmarik.AYH trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\24.12.2012_10.33.17\tdlfs0001\tsk0003.dta Win64/Olmarik.AL trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\24.12.2012_10.33.17\tdlfs0001\tsk0004.dta a variant of Win32/Rootkit.Kryptik.PR trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\24.12.2012_10.33.17\tdlfs0001\tsk0005.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\24.12.2012_10.33.17\tdlfs0001\tsk0009.dta Win32/Olmarik.AFK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\24.12.2012_10.33.17\tdlfs0001\tsk0010.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\30.08.2012_15.52.56\tdlfs0000\tsk0000.dta Win32/Olmarik.AYI trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\30.08.2012_15.52.56\tdlfs0000\tsk0001.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\30.08.2012_15.52.56\tdlfs0000\tsk0002.dta Win32/Olmarik.AYH trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\30.08.2012_15.52.56\tdlfs0000\tsk0003.dta Win64/Olmarik.AL trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\30.08.2012_15.52.56\tdlfs0000\tsk0004.dta a variant of Win32/Rootkit.Kryptik.PR trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\30.08.2012_15.52.56\tdlfs0000\tsk0005.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\30.08.2012_15.52.56\tdlfs0000\tsk0009.dta Win32/Olmarik.AFK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\30.08.2012_15.52.56\tdlfs0000\tsk0010.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\Users\Garrett\AppData\Local\Temp\la12.exe a variant of Win32/Injector.VDU trojan cleaned by deleting - quarantined
C:\Users\Garrett\AppData\Local\{24B9AEF1-E437-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan cleaned by deleting - quarantined
C:\Users\Garrett\AppData\Local\{24B9EF40-E437-11E1-8270-B8AC6F996F26}\manager.js JS/Redirector.NCG trojan cleaned by deleting - quarantined
C:\Users\Garrett\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\1187ad0c-456d4a12 Java/TrojanDownloader.Agent.ME trojan cleaned by deleting - quarantined
C:\Users\Garrett\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3cc664c-7df5ce21 Java/TrojanDownloader.OpenStream.NBS trojan cleaned by deleting - quarantined
C:\Users\Garrett\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\6c721cd3-6e561891 a variant of Java/TrojanDownloader.OpenStream.NCM trojan cleaned by deleting - quarantined
C:\Users\Garrett\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\206f61da-2b07a550 a variant of Win32/Injector.VDU trojan cleaned by deleting - quarantined
C:\Users\Garrett\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-26363e32 a variant of Java/Agent.DT trojan cleaned by deleting - quarantined
C:\Users\Garrett\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\6b310336-7073373f a variant of Java/TrojanDownloader.OpenStream.NCM trojan cleaned by deleting - quarantined
C:\Users\Garrett\AppData\Roaming\brdig.dll a variant of Win32/Medfos.CM trojan cleaned by deleting - quarantined

#4 TheValiantPixel

TheValiantPixel
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 24 December 2012 - 06:36 PM

Apparently my TDSSKiller log is too long for the forum because it won't let me post it. Here's all the parts except for the extremely long "Scan Services" section:

10:33:17.0197 6700 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
10:33:17.0525 6700 ============================================================
10:33:17.0525 6700 Current date / time: 2012/12/24 10:33:17.0525
10:33:17.0525 6700 SystemInfo:
10:33:17.0525 6700
10:33:17.0525 6700 OS Version: 6.1.7601 ServicePack: 1.0
10:33:17.0525 6700 Product type: Workstation
10:33:17.0525 6700 ComputerName: GARRETT-LATOP
10:33:17.0525 6700 UserName: Garrett
10:33:17.0525 6700 Windows directory: C:\Windows
10:33:17.0525 6700 System windows directory: C:\Windows
10:33:17.0525 6700 Running under WOW64
10:33:17.0525 6700 Processor architecture: Intel x64
10:33:17.0525 6700 Number of processors: 8
10:33:17.0525 6700 Page size: 0x1000
10:33:17.0525 6700 Boot type: Normal boot
10:33:17.0525 6700 ============================================================
10:33:18.0445 6700 Drive \Device\Harddisk0\DR0 - Size: 0x950B056000 (596.17 Gb), SectorSize: 0x200, Cylinders: 0x13001, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
10:33:18.0476 6700 ============================================================
10:33:18.0476 6700 \Device\Harddisk0\DR0:
10:33:18.0476 6700 MBR partitions:
10:33:18.0476 6700 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
10:33:18.0476 6700 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x485B6000
10:33:18.0476 6700 ============================================================
10:33:18.0492 6700 C: <-> \Device\Harddisk0\DR0\Partition2
10:33:18.0492 6700 ============================================================
10:33:18.0492 6700 Initialize success
10:33:18.0492 6700 ============================================================
10:34:53.0216 6868 ============================================================
10:34:53.0216 6868 Scan started
10:34:53.0216 6868 Mode: Manual; TDLFS;
10:34:53.0216 6868 ============================================================
10:34:55.0432 6868 ================ Scan system memory ========================
10:34:55.0432 6868 System memory - ok


10:40:34.0792 5672 ================ Scan global ===============================
10:40:34.0823 5672 [ BA0CD8C393E8C9F83354106093832C7B ] C:\Windows\system32\basesrv.dll
10:40:34.0854 5672 [ EB6A48CC998E1090E44E8E7F1009A640 ] C:\Windows\system32\winsrv.dll
10:40:34.0870 5672 [ EB6A48CC998E1090E44E8E7F1009A640 ] C:\Windows\system32\winsrv.dll
10:40:34.0901 5672 [ D6160F9D869BA3AF0B787F971DB56368 ] C:\Windows\system32\sxssrv.dll
10:40:34.0932 5672 [ 24ACB7E5BE595468E3B9AA488B9B4FCB ] C:\Windows\system32\services.exe
10:40:34.0948 5672 [Global] - ok
10:40:34.0948 5672 ================ Scan MBR ==================================
10:40:34.0979 5672 [ 2E5DEBB2116B3417023E0D6562D7ED07 ] \Device\Harddisk0\DR0
10:40:35.0353 5672 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
10:40:35.0353 5672 \Device\Harddisk0\DR0 - detected TDSS File System (1)
10:40:35.0353 5672 ================ Scan VBR ==================================
10:40:35.0369 5672 [ A76AB3C6CD3C3B8973B2BEF52B8986F3 ] \Device\Harddisk0\DR0\Partition1
10:40:35.0369 5672 \Device\Harddisk0\DR0\Partition1 - ok
10:40:35.0400 5672 [ 4634B8624B9DB1E867CA480E4F36EF41 ] \Device\Harddisk0\DR0\Partition2
10:40:35.0400 5672 \Device\Harddisk0\DR0\Partition2 - ok
10:40:35.0400 5672 ============================================================
10:40:35.0400 5672 Scan finished
10:40:35.0400 5672 ============================================================
10:40:35.0416 8188 Detected object count: 2
10:40:35.0416 8188 Actual detected object count: 2
10:40:38.0099 8188 C:\Windows\system32\Drivers\sptd.sys - copied to quarantine
10:40:38.0099 8188 sptd ( LockedFile.Multi.Generic ) - User select action: Quarantine
10:40:38.0114 8188 \Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine
10:40:38.0114 8188 \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
10:40:38.0130 8188 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
10:40:38.0130 8188 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
10:40:38.0161 8188 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
10:40:38.0177 8188 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
10:40:38.0177 8188 \Device\Harddisk0\DR0\TDLFS\servers.dat - copied to quarantine
10:40:38.0177 8188 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
10:40:38.0177 8188 \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
10:40:38.0192 8188 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
10:40:38.0192 8188 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
10:40:38.0192 8188 \Device\Harddisk0\DR0\TDLFS\s - copied to quarantine
10:40:38.0192 8188 \Device\Harddisk0\DR0\TDLFS\ldrm - copied to quarantine
10:40:38.0192 8188 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Quarantine
10:40:56.0897 4372 Deinitialize success

#5 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:06 PM

Posted 25 December 2012 - 12:37 AM

Download

Malwarebytes

Install,update and run a full scan

Click on Show results.Right click on the list ,select all and remove them.

Post the generated log here

Download

mini toolbox

Checkmark following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size
List restore points

Click Go and post the result.

Download

Farbar service scanner

Checkmark all the boxes

Click on "Scan".
Please copy and paste the log to your reply.

Download

adware cleaner

Launch it click on Delete

A log should be generated after scan ,post it here

Download

Junkware removal tool

For vista and windows 7 right click on the tool and select run as administrator

After scan gets completed,post the generated log here.

Download

http://www.bleepingcomputer.com/download/rkill/

Run it and after scan finishes,post the contents of RKILL log located on the desktop here


Download

Autoruns

Extract and launch autoruns.exe

Allow the scan to get finished

Now click on FILE-SAVE

Filename:Autoruns.txt
Save as :Text

Paste the contents of text here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users