Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yahoo Redirection virus


  • This topic is locked This topic is locked
11 replies to this topic

#1 Etere

Etere

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 05 January 2014 - 09:19 AM

Hi guys, 

 

I've realised that my browser now redirects my searches to Yahoo instead of my default google search engine. Despite setting google as default in google chrome, i still get redirected to Yahoo. After digging around i realised that Yahoo redirects me to false pages when i search for terms such as PUP Optional search protection A virus (the name given by Malware bytes).

 

Also, I think the virus comes from a Chinese program called "Mobogenie" and maybe also "Spigot" that is bundled with KMPlayer (i think) after scanning with AdwCleaner. I've haven't done anything to it yet and shall take actions according to the instructions you guys give once i receive a reply.

 

I've found a couple of methods of removing this virus but i'm not sure whether are they suitable for my computer or not so i hope you guys can help me out. (:

 

Here is the log after scanning with Malwarebytes:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2014.01.05.01
 
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.16476
jiajia :: JIAJIA-PC [administrator]
 
1/5/2014 9:13:03 PM
MBAM-log-2014-01-05 (21-33-32).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 195867
Time elapsed: 10 minute(s), 56 second(s)
 
Memory Processes Detected: 1
C:\Users\jiajia\AppData\Roaming\Search Protection\SearchProtection.exe (PUP.Optional.SearchProtection.A) -> 3316 -> No action taken.
 
Memory Modules Detected: 1
C:\Users\jiajia\AppData\Roaming\newnext.me\nengine.dll (PUP.Optional.NextLive.A) -> No action taken.
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SearchProtection (PUP.Optional.SearchProtection.A) -> Data: "C:\Users\jiajia\AppData\Roaming\Search Protection\SearchProtection.EXE" /autostart -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|NextLive (PUP.Optional.NextLive.A) -> Data: C:\Windows\system32\rundll32.exe "C:\Users\jiajia\AppData\Roaming\newnext.me\nengine.dll",EntryPoint -m l -> No action taken.
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 2
C:\Users\jiajia\AppData\Roaming\newnext.me (PUP.Optional.NextLive.A) -> No action taken.
C:\Users\jiajia\AppData\Roaming\newnext.me\cache (PUP.Optional.NextLive.A) -> No action taken.
 
Files Detected: 4
C:\Users\jiajia\AppData\Roaming\Search Protection\SearchProtection.exe (PUP.Optional.SearchProtection.A) -> No action taken.
C:\Users\jiajia\AppData\Roaming\newnext.me\nengine.dll (PUP.Optional.NextLive.A) -> No action taken.
C:\Users\jiajia\AppData\Roaming\newnext.me\nengine.cookie (PUP.Optional.NextLive.A) -> No action taken.
C:\Users\jiajia\AppData\Roaming\newnext.me\cache\spark.bin (PUP.Optional.NextLive.A) -> No action taken.
 
(end)
 
Thanks for helping! (:

Edited by Etere, 05 January 2014 - 10:16 AM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:27 PM

Posted 05 January 2014 - 02:47 PM

Good evening. :)

Please go here, follow step six, and then post accordingly into this thread.
 


So long, and thanks for all the fish.

 

 


#3 Etere

Etere
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 06 January 2014 - 07:23 AM

Attached File  Attach.txt   4.99KB   1 downloads
Hello. Thank you for spending time looking at this! Here are the items requested.
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 11.0.9600.16428
Run by jiajia at 20:14:58 on 2014-01-06
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.2046.1151 [GMT 8:00]
.
AV: Advanced SystemCare Ultimate *Enabled/Outdated* {1C304DC4-1D72-5DB9-B33A-43B638ECFD30}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\IObit\Advanced SystemCare Ultimate\ascsvc.exe
C:\Program Files\IObit\Advanced SystemCare Ultimate\ascavsvc.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\atieclxx.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\PANDORA.TV\PanService\KMPService.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe
C:\Users\jiajia\AppData\Roaming\Search Protection\SearchProtection.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Sony\Sony PC Companion\PCCompanionInfo.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\PANDORA.TV\PanService\KMPProcess.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Users\jiajia\Downloads\AdwCleaner.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://sg.search.yahoo.com/?type=714647&fr=spigot-yhp-ie
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Advanced SystemCare Browser Protection: {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} - c:\program files\iobit\advanced systemcare ultimate\browerprotect\ASCPlugin_Protection.dll
uRun: [Advanced SystemCare Ultimate] "c:\program files\iobit\advanced systemcare ultimate\ASCTray.exe" /AutoStart
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Sony PC Companion] "c:\program files\sony\sony pc companion\PCCompanion.exe" /Background
uRun: [SearchProtection] "c:\users\jiajia\appdata\roaming\search protection\SearchProtection.EXE" /autostart
uRun: [NextLive] c:\windows\system32\rundll32.exe "c:\users\jiajia\appdata\roaming\newnext.me\nengine.dll",EntryPoint -m l
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 202.156.1.16 218.186.2.16 218.186.2.6
TCP: Interfaces\{52CA7C65-BC40-4EE3-ADB8-2F3E73E28258} : DHCPNameServer = 202.156.1.16 218.186.2.16 218.186.2.6
TCP: Interfaces\{52CA7C65-BC40-4EE3-ADB8-2F3E73E28258}\34574796560226162697 : DHCPNameServer = 165.21.83.88 165.21.100.88
TCP: Interfaces\{52CA7C65-BC40-4EE3-ADB8-2F3E73E28258}\8505542594140205F556265616 : DHCPNameServer = 192.168.43.1
TCP: Interfaces\{52CA7C65-BC40-4EE3-ADB8-2F3E73E28258}\A49616A69616723702960586F6E656 : DHCPNameServer = 172.20.10.1
TCP: Interfaces\{52CA7C65-BC40-4EE3-ADB8-2F3E73E28258}\A4F6C696E6 : DHCPNameServer = 202.156.1.16 218.186.2.16 218.186.2.6
TCP: Interfaces\{52CA7C65-BC40-4EE3-ADB8-2F3E73E28258}\A69616A6961602 : DHCPNameServer = 192.168.43.1
TCP: Interfaces\{B0873070-C956-4394-8539-FD0FF4FCF034} : DHCPNameServer = 192.168.42.129
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\31.0.1650.63\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2005-11-15 34176]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2013-5-6 15672]
R2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\program files\iobit\advanced systemcare ultimate\ASCSvc.exe [2013-5-5 1051088]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
R2 ASCAntivirusSrv;AdvancedSystemCareAntivirus;c:\program files\iobit\advanced systemcare ultimate\ASCAvSvc.exe [2013-5-5 621008]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-5-6 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-5-6 701512]
R2 PanService;PandoraService;c:\program files\pandora.tv\panservice\KMPService.exe [2013-12-28 1922600]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-5-6 22856]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2014-1-5 40776]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-11 4231168]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-19 130384]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2013-11-24 12400]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2013-12-12 108032]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-5-5 15872]
S3 Sony PC Companion;Sony PC Companion;c:\program files\sony\sony pc companion\PCCService.exe [2013-11-24 155824]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-5-7 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-12-15 1343400]
.
=============== Created Last 30 ================
.
2014-01-05 13:43:22 -------- d-----w- C:\AdwCleaner
2014-01-05 13:11:18 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2014-01-03 08:57:07 7760024 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{4a34901e-7431-435c-b198-4ab08db074d9}\mpengine.dll
2013-12-31 10:07:28 -------- d-----w- c:\program files\niji
2013-12-28 09:50:15 -------- d-----w- c:\program files\PANDORA.TV
2013-12-28 09:49:49 -------- d-----w- c:\program files\The KMPlayer
2013-12-28 09:44:25 -------- d-----w- c:\users\jiajia\.android
2013-12-28 09:44:24 -------- d-----w- c:\users\jiajia\appdata\local\cache
2013-12-28 09:44:22 -------- d-----w- c:\users\jiajia\appdata\roaming\newnext.me
2013-12-28 09:44:22 -------- d-----w- c:\users\jiajia\appdata\local\genienext
2013-12-28 09:44:19 -------- d-----w- c:\users\jiajia\appdata\local\Mobogenie
2013-12-28 09:43:25 -------- d-----w- c:\program files\MyPC Backup
2013-12-26 11:07:31 -------- d-----w- c:\program files\common files\Steam
2013-12-26 11:07:26 -------- d-----w- c:\program files\Steam
2013-12-25 09:54:00 -------- d-----w- C:\CherryDeGames
2013-12-14 08:17:52 -------- d-----w- c:\program files\Softnyx
2013-12-11 17:36:45 164864 ----a-w- c:\program files\windows media player\wmplayer.exe
2013-12-11 17:36:45 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2013-12-11 11:29:29 301568 ----a-w- c:\windows\system32\msieftp.dll
2013-12-11 11:29:28 159232 ----a-w- c:\windows\system32\imagehlp.dll
2013-12-11 11:29:27 163840 ----a-w- c:\windows\system32\scrrun.dll
2013-12-11 11:29:27 141824 ----a-w- c:\windows\system32\wscript.exe
2013-12-11 11:29:27 126976 ----a-w- c:\windows\system32\cscript.exe
2013-12-11 11:29:27 121856 ----a-w- c:\windows\system32\wshom.ocx
2013-12-11 11:29:26 417792 ----a-w- c:\windows\system32\WMPhoto.dll
2013-12-11 11:29:23 2048 ----a-w- c:\windows\system32\tzres.dll
2013-12-11 11:29:19 2349056 ----a-w- c:\windows\system32\win32k.sys
2013-12-11 11:29:18 81408 ----a-w- c:\windows\system32\drivers\drmk.sys
2013-12-11 11:29:18 177152 ----a-w- c:\windows\system32\drivers\portcls.sys
.
==================== Find3M  ====================
.
2013-12-11 17:36:13 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-11 17:36:13 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-11-26 09:23:02 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2013-11-26 09:22:11 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2013-11-26 08:53:56 61952 ----a-w- c:\windows\system32\iesetup.dll
2013-11-26 08:52:26 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2013-11-26 08:29:55 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2013-11-26 08:29:52 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2013-11-26 08:28:16 553472 ----a-w- c:\windows\system32\jscript9diag.dll
2013-11-26 08:16:12 4243968 ----a-w- c:\windows\system32\jscript9.dll
2013-11-26 07:32:06 1928192 ----a-w- c:\windows\system32\inetcpl.cpl
2013-11-26 06:33:33 1820160 ----a-w- c:\windows\system32\wininet.dll
2013-11-23 17:56:57 25200 ----a-w- c:\windows\system32\drivers\ggsemc.sys
2013-11-23 17:56:57 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2013-11-23 17:56:56 12400 ----a-w- c:\windows\system32\drivers\ggflt.sys
2013-11-18 19:33:38 230048 ------w- c:\windows\system32\MpSigStub.exe
2013-10-12 02:03:08 656896 ----a-w- c:\windows\system32\nshwfp.dll
2013-10-12 02:01:41 679424 ----a-w- c:\windows\system32\IKEEXT.DLL
2013-10-12 02:01:25 216576 ----a-w- c:\windows\system32\FWPUCLNT.DLL
.
============= FINISH: 20:16:06.98 ===============
 
 

Attached Files

  • Attached File  DDS.txt   12.58KB   1 downloads

Edited by Etere, 06 January 2014 - 07:29 AM.


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:27 PM

Posted 06 January 2014 - 02:42 PM

Good evening. :)

 

Update MBAM and then scan and let it fix what it finds. Once done, let me have the log that it produced and also tell me if the redirections have been sorted out.


So long, and thanks for all the fish.

 

 


#5 Etere

Etere
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 08 January 2014 - 07:34 AM

Here you go~ 
 
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2014.01.05.01
 
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.16476
jiajia :: JIAJIA-PC [administrator]
 
1/10/2006 12:07:07 AM
mbam-log-2006-01-10 (00-07-07).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 195965
Time elapsed: 11 minute(s), 54 second(s)
 
Memory Processes Detected: 1
C:\Users\jiajia\AppData\Roaming\Search Protection\SearchProtection.exe (PUP.Optional.SearchProtection.A) -> 3156 -> Delete on reboot.
 
Memory Modules Detected: 1
C:\Users\jiajia\AppData\Roaming\newnext.me\nengine.dll (PUP.Optional.NextLive.A) -> Delete on reboot.
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SearchProtection (PUP.Optional.SearchProtection.A) -> Data: "C:\Users\jiajia\AppData\Roaming\Search Protection\SearchProtection.EXE" /autostart -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|NextLive (PUP.Optional.NextLive.A) -> Data: C:\Windows\system32\rundll32.exe "C:\Users\jiajia\AppData\Roaming\newnext.me\nengine.dll",EntryPoint -m l -> Quarantined and deleted successfully.
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 2
C:\Users\jiajia\AppData\Roaming\newnext.me (PUP.Optional.NextLive.A) -> Delete on reboot.
C:\Users\jiajia\AppData\Roaming\newnext.me\cache (PUP.Optional.NextLive.A) -> Quarantined and deleted successfully.
 
Files Detected: 4
C:\Users\jiajia\AppData\Roaming\Search Protection\SearchProtection.exe (PUP.Optional.SearchProtection.A) -> Delete on reboot.
C:\Users\jiajia\AppData\Roaming\newnext.me\nengine.dll (PUP.Optional.NextLive.A) -> Delete on reboot.
C:\Users\jiajia\AppData\Roaming\newnext.me\nengine.cookie (PUP.Optional.NextLive.A) -> Quarantined and deleted successfully.
C:\Users\jiajia\AppData\Roaming\newnext.me\cache\spark.bin (PUP.Optional.NextLive.A) -> Quarantined and deleted successfully.
 
(end)
 

Edited by Etere, 08 January 2014 - 07:54 AM.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:27 PM

Posted 08 January 2014 - 03:05 PM

Good evening. :)
 

and also tell me if the redirections have been sorted out.

 


So long, and thanks for all the fish.

 

 


#7 Etere

Etere
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 11 January 2014 - 07:07 AM

Hi, sorry i was busy these few days so i was unable to reply. Actually i had changed the settings of my websites to default back to google so redirections did not occur any longer... However, I did a scan with Malwarebytes and i think there are still items detected... Give a while more to let the scan complete and get the log out. (:

 

EDIT:

Just finished a full scan with Malwarebytes and it seemed that it has picked up a bunch of other stuff. ): 

Here is the log from the latest scan and i haven't taken any action as of now... pretty weird that there's trojan in the ACER program that was bundled with my ACER laptop or rather did the virus embedded itself there? Same goes for my popcap game, ZUMA.

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2014.01.05.01
 
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.16476
jiajia :: JIAJIA-PC [administrator]
 
1/11/2014 8:14:03 PM
MBAM-log-2014-01-12 (00-43-35).txt
 
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 516659
Time elapsed: 4 hour(s), 27 minute(s), 41 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 7
C:\Acer\Empowering Technology\eLock\Service\eLock.Serv.Service.exe (Trojan.Downloader.FR) -> No action taken.
C:\Windows\AutoKMS\AutoKMS.exe (Trojan.AutoKMS) -> No action taken.
C:\Windows.old\Program Files\Adobe\Adobe Bridge CS6\AMTLib.dll (PUP.RiskwareTool.CK) -> No action taken.
C:\Windows.old\Program Files\Adobe\Adobe Photoshop CS6\amtlib.dll (PUP.RiskwareTool.CK) -> No action taken.
C:\Windows.old\Program Files\PopCap Games\Zuma Deluxe\PopUninstall.exe (Trojan.FakeAlert.RRE) -> No action taken.
C:\Windows.old\Users\jiajia\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\stub_data\stubinst_pkg_en-ap.cab (PUP.Optional.OpenCandy) -> No action taken.
C:\Windows.old\Windows\Temp\med29AA.tmp (PUP.Optional.DealioTB.A) -> No action taken.
 
(end)
 
Oh, btw, i suddenly recall that my computer was infected with virus years back.. i think it was some rouge antivirus software..maybe it was from there?

Edited by Etere, 11 January 2014 - 11:55 AM.


#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:27 PM

Posted 11 January 2014 - 03:03 PM

Good evening. :)

I'm a little busy this evening, so i'll take a look tomorrow and post then.


So long, and thanks for all the fish.

 

 


#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:27 PM

Posted 12 January 2014 - 03:07 PM

Good evening. :)

C:\Windows.old\Program Files\Adobe\Adobe Bridge CS6\AMTLib.dll (PUP.RiskwareTool.CK) -> No action taken.

C:\Windows.old\Program Files\Adobe\Adobe Photoshop CS6\amtlib.dll (PUP.RiskwareTool.CK) -> No action taken.
C:\Windows.old\Program Files\PopCap Games\Zuma Deluxe\PopUninstall.exe (Trojan.FakeAlert.RRE) -> No action taken.
C:\Windows.old\Users\jiajia\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\stub_data\stubinst_pkg_en-ap.cab (PUP.Optional.OpenCandy) -> No action taken.
C:\Windows.old\Windows\Temp\med29AA.tmp (PUP.Optional.DealioTB.A) -> No action taken.
 
C:\Acer\Empowering Technology\eLock\Service\eLock.Serv.Service.exe (Trojan.Downloader.FR) -> No action taken.
C:\Windows\AutoKMS\AutoKMS.exe (Trojan.AutoKMS) -> No action taken.
 
The first group appear to be files that were backed up with you installed Windows 7 and I wouldn't be concerned about them, unless you are planning on using that software.
The ACER detection is probably a false positive, assuming that you have Acer eLock Management installed on you system -  not an unknown phenomenon.
 
AutoKMS.exe appears to be a crack for Microsoft Office and, assuming that it is so, any consequences of using that are yours and yours alone.
 
 

So long, and thanks for all the fish.

 

 


#10 Etere

Etere
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 16 January 2014 - 11:20 PM

Hi sorry for the late reply. I was busy with work lately so I couldn't get back to you and it seems that my previous reply didn't get through..

 

My computer was apparently upgraded from vista to windows 7 by my neighbour who also did a bunch of fixes for my com.. so I guess he implemented the crack for Microsoft office... I had a previous version but it seems that he replaced it. Anyways, is the autoKMs harmful to my computer? If so I think I'll dig out my old disk for my Microsoft office and delete this version? Also, I don't think i'll be using the first group of files anymore so should I just delete the virus or leave it? Or maybe I should just delete the backup files together with the viruses?

 

As always, thank you for your help! :D



#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:27 PM

Posted 17 January 2014 - 02:29 PM

Good evening. :)

I have no way of knowing what, if any, threat that file poses. The detection is probably due to the fact that it is a crack rather than a malicious file, but I don't know for certain and any post that contained even implied approval for this sort of file would probably get me into some sort of trouble with someone somewhere.

The best thing I can say is that if you run the file name in question through the search engine of your choice you can see what others are saying and decide for yourself whether or nor you wish to have it remain on your system.

 

As to the first lot, if you aren't going to be doing anything with them, you can delete them or not as you see fit. If you don't run them, they won't do any harm where they are.


So long, and thanks for all the fish.

 

 


#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:27 PM

Posted 23 January 2014 - 05:13 PM

As this issue appears to have been resolved, this thread is now closed.
 


So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users