Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seem to have some sort of redirect virus


  • Please log in to reply
6 replies to this topic

#1 drcapps

drcapps

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 13 July 2013 - 08:47 PM

I am running IE 10 on Windows 7.   I seem to have picked up some sort of redirect virus, when clicking on links from google search I am being redirected to other sites.  I have run Malwarebytes and it hasn't picked up anything.  I am also running Mcafee thru the AT&T Security Suite.  It is periodically giving popups about removing a Trojan and is fortunately blocking the sites that I am being redirected to. Would welcome any advice on how to proceed.



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:26 AM

Posted 14 July 2013 - 02:51 AM

Hello drcapps -

Are you actually happy with McAfee Antivirus as provided by AT&T (a few posts that it is not top service program).

There are many Free Options that you can use if you choose to change programs -

 

On to your problem.

:step1: Download Security Check by Screen317 from HERE
* Save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please Copy / Paste the contents of that document.
Note: If a security program requests permission to access the Internet, allow it to do so.

 

 

:step2: Download SUPERAntiSpyware Free (aka SAS)
* Double-click SAS -setup.exe and follow the prompts to install the program.
* At the end, be sure to Check for Updates to be sure it is current
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to reboot the computer after you post the log.

 

 

:step3: Just to recheck, please Update your version of Malwarebytes' Anti-Malware first, and run a Full Scan with the program.

When completed, a log will open in Notepad.
Post the log back here.

 

 

:step4: Scan your machine with ESET OnlineScan

You may be asked to Disable your Antivirus while you run this program.

 

This is best done with Internet Explorer, but other directions are also left here

1.Hold down Control and click HERE to open ESET OnlineScan in a new window.
2.Click the ESET Online Scanner button.
3.NOTE :.For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

 

- 1.Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
- 2.Double click on the ESET Online Scanner icon on your desktop.

 

 4.Check "YES, I accept the Terms of Use."
 5.Click the Start button.
 6.Accept any security warnings from your browser.
 7.Under scan settings, check "Scan Archives" and "Remove found threats"
8.Click Advanced settings and select the following:
Scan potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth technology

 9.ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this will take some time to download the program for a first time, and then download updated data base (1 to 2  hours is not unusual)
10.When the scan completes, click List Threats
11.Click Export, and save the file to your desktop using a unique name, such as ESETScan.
- Include the contents of this report in your next reply.
12.Click the Back button.
13.Click the Finish button

 

 

Thank You -



#3 drcapps

drcapps
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 14 July 2013 - 02:39 PM

Thanks for your help! Here are the requested logs:

1.

Results of screen317's Security Check version 0.99.69 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````

 Windows Firewall Enabled! 
McAfee Anti-Virus and Anti-Spyware  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Spybot - Search & Destroy
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java™ 6 Update 30 
 Java version out of Date!
 Adobe Reader 10.1.7 Adobe Reader out of Date! 
 Google Chrome 28.0.1500.71 
 Google Chrome 28.0.1500.72 
````````Process Check: objlist.exe by Laurent```````` 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 Spybot Teatimer.exe is disabled!
 Malwarebytes' Anti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 9%
````````````````````End of Log``````````````````````

 

2.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/14/2013 at 09:44 AM

Application Version : 5.6.1020

Core Rules Database Version : 10610
Trace Rules Database Version: 8422

Scan type       : Quick Scan
Total Scan Time : 00:08:25

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC On - Limited User

Memory items scanned      : 886
Memory threats detected   : 0
Registry items scanned    : 60759
Registry threats detected : 1
File items scanned        : 10940
File threats detected     : 31

Adware.Casino Games (Golden Palace Casino)
 C:\PROGRAM FILES (X86)\BOVADA CASINO\CASINO.EXE
 (x86) HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\casino.exe
 C:\USERS\DEBRA'S\DESKTOP\BOVADA CASINO.LNK

Adware.Tracking Cookie
 .invitemedia.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .invitemedia.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .doubleclick.net [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .invitemedia.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .atdmt.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .atdmt.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .invitemedia.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 ad.yieldmanager.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 ad.yieldmanager.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 ad.yieldmanager.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 ad.yieldmanager.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .doubleclick.net [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .serving-sys.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .serving-sys.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .serving-sys.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .ads.pointroll.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .pointroll.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .ads.pointroll.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .pointroll.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .ads.pointroll.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .ads.pointroll.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .ads.pointroll.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .ads.pointroll.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .ads.pointroll.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .ads.pointroll.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .imrworldwide.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .imrworldwide.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
 .t.pointroll.com [ C:\USERS\DEBRA'S\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]

Trojan.Agent/Gen-Tres[Drop]
 C:\USERS\DEBRA'S\APPDATA\LOCAL\TEMP\580.EXE

 

3.

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.14.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16635
Debra's :: DEBRAS-HP [administrator]

7/14/2013 10:14:03 AM
mbam-log-2013-07-14 (10-14-03).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 410921
Time elapsed: 1 hour(s), 53 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

 

4.

C:\Windows\SysWOW64\ARFC\wrtc.exe Win32/SweetIM.E application 
C:\Windows\SysWOW64\jmdp\lmrn.dll Win32/SweetIM.G application 
C:\Windows\SysWOW64\jmdp\stij.exe Win32/SweetIM.G application 
C:\Windows\SysWOW64\jmdp\SweetNT.crx Win32/SweetIM.E application 
C:\Windows\SysWOW64\WNLT\Installation\SKSetup.exe Win32/SweetIM.G application 
C:\Program Files\Updater By SweetPacks\Extension32.dll a variant of Win32/Toolbar.Perion.A application cleaned by deleting (after the next restart) - quarantined
C:\Program Files\Updater By SweetPacks\ExtensionUpdaterService.exe a variant of Win32/Toolbar.Perion.C application cleaned by deleting (after the next restart) - quarantined
C:\Program Files\Updater By SweetPacks\InstallerHelper.dll a variant of Win32/Toolbar.Perion.B application cleaned by deleting - quarantined
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jdatact.dll a variant of Win32/Toolbar.MyWebSearch.A application cleaned by deleting - quarantined
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jhtmlmu.dll probably a variant of Win32/Toolbar.MyWebSearch.B application cleaned by deleting - quarantined
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jieovr.dll probably a variant of Win32/Toolbar.MyWebSearch.P application cleaned by deleting (after the next restart) - quarantined
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jPlugin.dll probably a variant of Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jskin.dll a variant of Win32/Toolbar.MyWebSearch.P application cleaned by deleting - quarantined
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\T8HTML.DLL probably a variant of Win32/Toolbar.MyWebSearch.F application cleaned by deleting - quarantined
C:\Users\Debra's\AppData\Local\6cf068f5-7502-4721-900e-cbce15ccfb47.crx JS/Redirector.NCG trojan deleted - quarantined
C:\Users\Debra's\AppData\Local\Google\Chrome\User Data\Default\Users\bfifieehfhbabmfaalhgkjbhfacoielg\background.js Win32/TrojanDownloader.Tracur.AH trojan cleaned by deleting - quarantined
C:\Users\Debra's\AppData\Local\Google\Chrome\User Data\Default\Users\bfifieehfhbabmfaalhgkjbhfacoielg\cs.js Win32/TrojanDownloader.Tracur.AH trojan cleaned by deleting - quarantined
C:\Users\Debra's\AppData\Local\Temp\AskSLib.dll a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\Debra's\AppData\Local\Temp\DefaultTabSetup.exe a variant of Win32/Toolbar.DefaultTab.B application cleaned by deleting - quarantined
C:\Users\Debra's\AppData\Local\Temp\hsbing_717_active.exe multiple threats cleaned by deleting - quarantined
C:\Users\Debra's\AppData\Local\Temp\jar_cache2280031901790764046.tmp multiple threats cleaned by deleting - quarantined
C:\Users\Debra's\AppData\Local\Temp\jar_cache3008060138946493714.tmp Java/Exploit.CVE-2012-0507.FT trojan cleaned by deleting - quarantined
C:\Users\Debra's\AppData\Local\Temp\Shortcut_bundlesweetimsetup.exe probably a variant of Win32/SweetIM.C application cleaned by deleting - quarantined
C:\Users\Debra's\AppData\Local\Temp\WSSetup.exe Win32/SweetIM.E application cleaned by deleting - quarantined
C:\Users\Debra's\Desktop\bundlesweetimsetup.exe probably a variant of Win32/SweetIM.C application cleaned by deleting - quarantined
C:\Users\Debra's\Desktop\ophcrack-win32-installer-3.5.0.exe multiple threats cleaned by deleting - quarantined
C:\Users\Debra's\Desktop\setup.exe Win32/InstallCore.BG application cleaned by deleting - quarantined
C:\Users\Debra's\Desktop\SetupImgBurn_2.5.7.0.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\Debra's\Downloads\SoftonicDownloader_for_google-sketchup.exe a variant of Win32/SoftonicDownloader.E application cleaned by deleting - quarantined
C:\Windows\System32\ARFC\wrtc.exe Win32/SweetIM.E application cleaned by deleting - quarantined
C:\Windows\System32\jmdp\lmrn.dll Win32/SweetIM.G application cleaned by deleting - quarantined
C:\Windows\System32\jmdp\stij.exe Win32/SweetIM.G application cleaned by deleting - quarantined
C:\Windows\System32\jmdp\SweetNT.crx Win32/SweetIM.E application deleted - quarantined
C:\Windows\System32\WNLT\Installation\SKSetup.exe Win32/SweetIM.G application cleaned by deleting - quarantined
 



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:26 AM

Posted 14 July 2013 - 05:20 PM

Hi -

The ESET Scan removed several Trojans and quite a few minor infections (some listed below)

Several items are marked as "cleaned by deleting (after the next restart) - quarantined". I hope you have Rebooted the computer.

 

Some Major problems were -
TrojanDownloader.Tracur.AH
Redirector.NCG trojan
Temp\jar_cache3008060138946493714.tmp Java/Exploit.CVE-2012-0507.FT trojan

 

Some Minor infections that cause your system to slow down were -

Win32/Toolbar.MyWebSearch
Win32/SweetIM
Win32/SoftonicDownloader
Win32/InstallCore.BG application
Win32/Toolbar.Perion

 

Java™ 6 Update 30  Java version out of Date! < Current is now Version7 Update25

You can verify the version of Java installed, http://www.java.com/en/download/installed.jsp?detect=jre

On the big Red bar at the top, click Download to install the latest version.

Be sure to Untick any Toolbars or Add-ons offered in the download, as they are not part of Java and not wanted.

Now go to Programs and Features and remove all but the latest Java version -

 

 

Please download TFC, or Temp File Cleaner by Old Timer.
Usage Instructions:

  • Download TFC from the download link above and save the file on your desktop.
  • Close ALL running applications as TFC will terminate them before attempting to clean up the temporary files.
  • Double-click on the TFC icon.
  • When the program opens, click on the Start button. 

     

    (NOTE) TFC will terminate the Explorer process and all running applications and then begin the process of cleaning out all of your temp folders.

  • When done, press OK and reboot your computer and finish the cleanup.

Note: Depending on how much data is currently stored in the Temp folders, this process can take quite a while to remove all of the files, so please be patient.

 

 

After you finish these steps please reply with - Has the computer improved at all now ?

Please give me any update or changes -

 

Thank You -


Edited by noknojon, 14 July 2013 - 08:00 PM.


#5 drcapps

drcapps
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 14 July 2013 - 08:57 PM

Have completed the newest steps and yes, computer is greatly improved! Redirects have stopped, seems to be working as it should. Thanks!



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:26 AM

Posted 14 July 2013 - 09:22 PM

Ok -

I will watch the topic for a few days just to see if it remains OK for now

Post back here if there are problems in a few days, or start a new topic if new problems are not related.

 

Good Luck -



#7 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:26 AM

Posted 20 July 2013 - 10:04 PM

As you have not replied or asked any other questions, I will take this off watch.

 

If you have other problems, please start a new topic.

 

Thank You -






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users