Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect & No Sound


  • Please log in to reply
4 replies to this topic

#1 tsuyoi.ai

tsuyoi.ai

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 28 April 2014 - 12:51 PM

Hi all.  I've been googling around for a couple hours at it looks like I've got some kind of Rootkit problem?  I'm not 100% sure, that's just what I saw in similar threads on this site.

 

Quick Info:

 

OS: Windows 7 64 bit (upgraded from Vista a long time ago)

Browsers: Chrome and Internet Explorer

Security Program: Microsoft Security Essentials

 

My problems:

 

When opening links in Chrome there is a popop every time

When opening links in Internet Explorer there is occasionally a popup

No Sound (Youtube)

 

What I've done:

 

Performed quick scan and full scan with Microsoft Security Essentials.  Nothing was found.

Downloaded and performed scan with Kaspersky TDSSKiller (with both default parameters and "use KSN to scan objects").  Nothing was found.

Screamed and pulled at my hair.  Then posted this thread.

 

What's the next step?  Thanks in advance.



BC AdBot (Login to Remove)

 


#2 Kirbyofdeath

Kirbyofdeath

  • Members
  • 459 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere on Earth
  • Local time:12:54 AM

Posted 28 April 2014 - 02:31 PM

Please scan your computer with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.

  • Click the esetonlinebtn.png button.

  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.

    • Double click on the esetsmartinstaller_enu.png icon on your desktop.


  • Check "YES, I accept the Terms of Use."

  • Click the Start button.

  • Accept any security warnings from your browser.

  • Under scan settings, check "Scan Archives" and "Remove found threats"

  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications

    • Scan for potentially unsafe applications

    • Enable Anti-Stealth technology


  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

  • When the scan completes, click List Threats

  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

  • Click the Back button.

  • Click the Finish button.

 

 
Please download Malwarebytes Anti-Malware.
 
1)  Double-click on mbam-setup.exe, then click on Run to install the application, follow the prompts through the installation.
 
2)  Malwarebytes will automatically open.  If this is the first time you have run this version of Malwarbytes you will see an image like the one below.
 
mbam1_zps95cc812c.png
 
Click on Update Now, after Malwarebytes is updated click on Scan.
 
If this isn't the first time you have run this version, then you will see an image like the one below.  Click on Scan
 
mbam1_zps98e7fba9.png
 
You will be prompted to update Malwarebytes, to do so click on Update Now.
 
 mbam2_zps85f38f0c.png
 
3)  The scan will automatically run now.
 
mbamreplace_zps3ead4824.png
 
 
4)  When the scan is complete the results will be displayed.  Click on Quarantine All, then click on Apply Actions
 
mbam4_zps23e52ad4.png
 
 
5)  To complete any actions taken you will be asked if you want to restart your computer, click on Yes
 
 mbam4_zps490948cc.png
 
6)  Please post the Malwarebytes log.
 
To find your Malwarebytes log,download mbam-check.exe from here and save it to your desktop.
 
To open the log double click on mbam-check.exe on your desktop.  When the log opens, scroll down toward the bottom of the log toQuarantined Items.  Copy and paste this in your next post.


#3 tsuyoi.ai

tsuyoi.ai
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 29 April 2014 - 07:28 AM

Additional Info:

 

So it looks like it's not only my PC that's infected with something.  Both my parent's rooted android kindle fire tablet and iPad have been experiencing similar pop-ups, though it hasn't spread to their desktop PC.  Possibly related, we did lose internet access for a couple hours yesterday evening, while the wifi remained on.  It was storming outside so I attributed it to that but I can't be sure now.

EDIT: It's on my Nexus 4 now too, when I use Chrome on it.

EDIT EIDT: In sum, we are experiencing pop-up symptoms on my W7 desktop, Nexus 4 (Stock Android), my parents Kindle (running a rooted version of Android from a few months ago), iPad, and W8 laptop.

 

 

ESET Report:

 

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AskToolbarInstaller-ORJ-V7C[1].7z a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application 
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AskToolbarInstaller-ORJ-V7C[2].7z a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application 
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AskToolbarInstaller-ORJ-V7C[3].7z a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application 
C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application deleted - quarantined
C:\Program Files (x86)\AskPartnerNetwork\Toolbar\APNSetup.exe a variant of Win32/Bundled.Toolbar.Ask.E potentially unsafe application deleted - quarantined
C:\Program Files (x86)\AskPartnerNetwork\Toolbar\UpdateManager.exe a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application deleted - quarantined
C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\AskToolbarInstaller-12.10.0_ORJ-V7C.msi a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application deleted - quarantined
C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\AskToolbarInstaller-12.7.0_ORJ-V7C.msi a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application deleted - quarantined
C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\AskPartnerNetwork\Toolbar\apnmcp.exe a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application deleted - quarantined
C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\AskPartnerNetwork\Toolbar\searchhook.dll a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application deleted - quarantined
C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\AskPartnerNetwork\Toolbar\ServiceLocator.exe a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application deleted - quarantined
C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\AskPartnerNetwork\Toolbar\SO.dll a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application deleted - quarantined
C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\AskPartnerNetwork\Toolbar\toolbar.dll a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application deleted - quarantined
C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\AskPartnerNetwork\Toolbar\Toolbar.exe a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application deleted - quarantined
C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\AskPartnerNetwork\Toolbar\ToolbarPS.dll a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application deleted - quarantined
C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\AskPartnerNetwork\Toolbar\toolbar_x64.dll a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application deleted - quarantined
C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\AskPartnerNetwork\Toolbar\UpdateManager.exe a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application deleted - quarantined
C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\AskPartnerNetwork\Toolbar\{PartnerID}\Passport.dll a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application deleted - quarantined
C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\AskPartnerNetwork\Toolbar\{PartnerID}\Passport_x64.dll a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application deleted - quarantined
C:\Users\Shaun\AppData\Local\Downloaded Installations\{9C811A65-80F2-4E35-A85D-0D8F59D3CD9F}\PCmover OEM Express.msi a variant of Win32/PSWTool.PWDump.A potentially unsafe application deleted - quarantined
C:\Windows\Installer\bf940.msi a variant of Win32/PSWTool.PWDump.A potentially unsafe application deleted - quarantined
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AskToolbarInstaller-ORJ-V7C[1].7z a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application deleted - quarantined
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AskToolbarInstaller-ORJ-V7C[2].7z a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application deleted - quarantined
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AskToolbarInstaller-ORJ-V7C[3].7z a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application deleted - quarantined

 

 

MBAM Check

 

Quarantined Items:
===================
Vendor: PUP.Optional.Spigot.A, Date: 2014/04/29 12:23:50, Type: File, Location: C:\Users\Shaun\AppData\Roaming\Search Protection\SearchProtection.exe
Vendor: PUP.Optional.Spigot.A, Date: 2014/04/29 12:23:50, Type: File, Location: C:\Users\Shaun\AppData\Local\Temp\SearchProtectionSetup.exe
Vendor: PUP.Optional.MyEmoticons.A, Date: 2014/04/29 12:23:50, Type: Registry Key, Location: HKU\S-1-5-21-1296584933-1340369955-2925439927-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\Search Protection
Vendor: PUP.Optional.Spigot.A, Date: 2014/04/29 12:23:50, Type: Registry Value, Location: HKU\S-1-5-21-1296584933-1340369955-2925439927-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|SearchProtection

 

 

I'm also posting my Protection Log from MBAM in case it helps.  This has been less than 24 hours.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Error, 4/29/2014 7:18:44 AM, SYSTEM, GAGE-PC, Protection, IsLicensed, 13,
Protection, 4/29/2014 7:18:44 AM, SYSTEM, GAGE-PC, Protection, Malware Protection, Stopping,
Protection, 4/29/2014 7:18:44 AM, SYSTEM, GAGE-PC, Protection, Malware Protection, Stopped,
Protection, 4/29/2014 7:18:47 AM, SYSTEM, GAGE-PC, Protection, Malware Protection, Starting,
Protection, 4/29/2014 7:18:47 AM, SYSTEM, GAGE-PC, Protection, Malware Protection, Started,
Protection, 4/29/2014 7:18:47 AM, SYSTEM, GAGE-PC, Protection, Malicious Website Protection, Starting,
Protection, 4/29/2014 7:18:48 AM, SYSTEM, GAGE-PC, Protection, Malicious Website Protection, Started,
Update, 4/29/2014 7:19:11 AM, SYSTEM, GAGE-PC, Manual, Rootkit Database, 2014.2.20.1, 2014.3.27.1,
Update, 4/29/2014 7:19:15 AM, SYSTEM, GAGE-PC, Manual, Malware Database, 2014.3.4.9, 2014.4.29.3,
Update, 4/29/2014 7:19:18 AM, SYSTEM, GAGE-PC, Manual, program, 2.0.0.1000, 2.0.1.1004,
Protection, 4/29/2014 7:19:40 AM, SYSTEM, GAGE-PC, Protection, Malicious Website Protection, Stopping,
Protection, 4/29/2014 7:19:40 AM, SYSTEM, GAGE-PC, Protection, Malicious Website Protection, Stopped,
Protection, 4/29/2014 7:19:40 AM, SYSTEM, GAGE-PC, Protection, Malware Protection, Stopping,
Protection, 4/29/2014 7:19:40 AM, SYSTEM, GAGE-PC, Protection, Malware Protection, Stopped,
Protection, 4/29/2014 7:19:53 AM, SYSTEM, GAGE-PC, Protection, Malware Protection, Starting,
Protection, 4/29/2014 7:19:53 AM, SYSTEM, GAGE-PC, Protection, Malware Protection, Started,
Protection, 4/29/2014 7:19:53 AM, SYSTEM, GAGE-PC, Protection, Malicious Website Protection, Starting,
Protection, 4/29/2014 7:19:53 AM, SYSTEM, GAGE-PC, Protection, Malicious Website Protection, Started,
Update, 4/29/2014 7:19:55 AM, SYSTEM, GAGE-PC, Manual, Rootkit Database, 2014.2.20.1, 2014.3.27.1,
Update, 4/29/2014 7:19:56 AM, SYSTEM, GAGE-PC, Manual, Malware Database, 2014.3.4.9, 2014.4.29.3,
Protection, 4/29/2014 7:19:57 AM, SYSTEM, GAGE-PC, Protection, Refresh, Starting,
Protection, 4/29/2014 7:19:57 AM, SYSTEM, GAGE-PC, Protection, Malicious Website Protection, Stopping,
Protection, 4/29/2014 7:19:57 AM, SYSTEM, GAGE-PC, Protection, Malicious Website Protection, Stopped,
Protection, 4/29/2014 7:19:59 AM, SYSTEM, GAGE-PC, Protection, Refresh, Success,
Protection, 4/29/2014 7:19:59 AM, SYSTEM, GAGE-PC, Protection, Malicious Website Protection, Starting,
Protection, 4/29/2014 7:19:59 AM, SYSTEM, GAGE-PC, Protection, Malicious Website Protection, Started,
Protection, 4/29/2014 7:24:55 AM, SYSTEM, GAGE-PC, Protection, Malware Protection, Starting,
Protection, 4/29/2014 7:24:55 AM, SYSTEM, GAGE-PC, Protection, Malware Protection, Started,
Protection, 4/29/2014 7:24:55 AM, SYSTEM, GAGE-PC, Protection, Malicious Website Protection, Starting,
Protection, 4/29/2014 7:25:02 AM, SYSTEM, GAGE-PC, Protection, Malicious Website Protection, Started,
Protection, 4/29/2014 12:41:08 PM, SYSTEM, GAGE-PC, Protection, Malware Protection, Starting,
Protection, 4/29/2014 12:41:08 PM, SYSTEM, GAGE-PC, Protection, Malware Protection, Started,
Protection, 4/29/2014 12:41:08 PM, SYSTEM, GAGE-PC, Protection, Malicious Website Protection, Starting,
Protection, 4/29/2014 12:41:13 PM, SYSTEM, GAGE-PC, Protection, Malicious Website Protection, Started,
Update, 4/29/2014 1:54:24 PM, SYSTEM, GAGE-PC, Scheduler, Malware Database, 2014.4.29.3, 2014.4.29.6,
Protection, 4/29/2014 1:54:24 PM, SYSTEM, GAGE-PC, Protection, Refresh, Starting,
Protection, 4/29/2014 1:54:24 PM, SYSTEM, GAGE-PC, Protection, Malicious Website Protection, Stopping,
Protection, 4/29/2014 1:54:24 PM, SYSTEM, GAGE-PC, Protection, Malicious Website Protection, Stopped,
Protection, 4/29/2014 1:54:27 PM, SYSTEM, GAGE-PC, Protection, Refresh, Success,
Protection, 4/29/2014 1:54:27 PM, SYSTEM, GAGE-PC, Protection, Malicious Website Protection, Starting,
Protection, 4/29/2014 1:54:27 PM, SYSTEM, GAGE-PC, Protection, Malicious Website Protection, Started,
Detection, 4/29/2014 2:43:51 PM, SYSTEM, GAGE-PC, Protection, Malicious Website Protection, IP, 207.226.177.42,www. lookroom . net [[I removed the hyperlink here]], 61623, Outbound, C:\Program Files (x86)\Internet Explorer\iexplore.exe,
Detection, 4/29/2014 2:43:51 PM, SYSTEM, GAGE-PC, Protection, Malicious Website Protection, IP, 207.226.177.42, www. lookroom . net [[I removed the hyperlink here]], 61623, Outbound, C:\Program Files (x86)\Internet Explorer\iexplore.exe,
Detection, 4/29/2014 2:43:51 PM, SYSTEM, GAGE-PC, Protection, Malicious Website Protection, IP, 207.226.177.42,www. lookroom . net [[I removed the hyperlink here]], 61622, Outbound, C:\Program Files (x86)\Internet Explorer\iexplore.exe,

(end)

 

 

 

Upon restarting my PC I noticed I've got a little error message on my internet connection icon...  even though my internet appears to be working fine.

EDIT: Upon restarting again this message is no longer there; the icon is back to normal.

 

7tcp2z3.png


Edited by tsuyoi.ai, 29 April 2014 - 05:07 PM.


#4 tsuyoi.ai

tsuyoi.ai
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 30 April 2014 - 05:36 PM

UPDATE: I factory reset my router and it fixed all problems on the other devices.  But before I reconnect my PC I want to make sure I've gotten rid of whatever cause all the problems.  What's the next step for me?



#5 Kirbyofdeath

Kirbyofdeath

  • Members
  • 459 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere on Earth
  • Local time:12:54 AM

Posted 01 May 2014 - 12:56 PM

Sounds like router malware, the factory reset seems to have worked. Download AdwCleaner and run it, then you should be clean, let me know how it's going.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users