Jump to content

redirected to toseeka, allthebrands, and other misc off of google search results


Recommended Posts

Hello I am new to the site and I seem to have run into a malware item that has hijacked all of my search results. This is what is happening and what I have done so far. I noticed that when I would do a google search, that would work fine, but when I would click on one of the results it would show the website name as if IE was taking me to the recommended website, but then would be redirected to some random search websites with several different names like toseeka.com, ave99.com, allthebrands.com, iprowl.com, etc, etc. If I caught it in time I could highlight the correct web address and do a ctrl+c before I was redirected. Then if I pasted the web address in, it would actually take me to that website, but that was the only way that I could get to any of the results.

I did a google search and downloaded SUPERAntispyware with my other computer to a jump drive and was able to load that on my laptop(the infected one) and did a scan. It came up with Trojan.Dropper/WIN-NV and removed it. I then went through the same process with Malwarebytes, although when I tried to update Malwarebytes it gave me the error "An error occurred. Please report the following error code to the Malwarebytes' Anti-Malware support team. Error code: 732 (0,0)". But I was able to do a scan anyway with the version I was able to install and the following is the log:

Malwarebytes' Anti-Malware 1.40

Database version: 2551

Windows 6.0.6002 Service Pack 2

8/20/2009 9:08:26 PM

mbam-log-2009-08-20 (21-08-26).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 198733

Time elapsed: 52 minute(s), 28 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

C:\WINDOWS\pp11.exe (Worm.KoobFace) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\pp11.exe (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\ld14.exe (Worm.KoobFace) -> Quarantined and deleted successfully.

After having Malwarebytes Quarantine and delete the files I restarted the laptop and I reconnected the wireless (both scans were done with the wireless disconnected) and tried doing a google search again. Once again that part worked fine, but when I would click on one of the results I was still redirected to one of the random search sites. So I did a full scan with McAfee, SUPERAntispyware, and Malwarebytes again and came up with nothing found on your computer or any other message that showed a virus. So I went to the forum and followed the suggestion of installing HiJackThis and posting the results to this forum. The following is the results of that scan:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:09:31 AM, on 8/22/2009

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v8.00 (8.00.6001.18813)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe

C:\WINDOWS\SMINST\scheduler.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\PDF Complete\pdfsty.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\igfxpers.exe

C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\Microsoft Office\Office12\WINWORD.EXE

C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...b&pf=laptop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...b&pf=laptop

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"

O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\RunOnce: [sT Recovery Launcher] %WINDIR%\SMINST\launcher.exe

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O13 - Gopher Prefix:

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClient Control) - https://webaccess.schneiderlogistics.com/da...SetupClient.cab

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - AppInit_DLLs: APSHook.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe

O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--

End of file - 9183 bytes

I am hoping that somebody can help me with the problem before it gets to out of hand.

Thanks.

Link to post
Share on other sites

  • Staff

Hi tritondog31 and welcome to Malwarebytes.

1. Uninstall Malwarebytes' Anti-Malware using Add or Remove programs in the Control Panel.

2. Restart your computer (very important).

3. Download and run this utility.

4. It will ask to restart your computer (please allow it to).

5. After the computer restarts, install the latest version from here.

Note: You will need to reactivate the program using the license you were sent via e-mail if you purchased it.

Try updating MBAM and running a Quick Scan now; post its log

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi tritondog31 and welcome to Malwarebytes.

1. Uninstall Malwarebytes' Anti-Malware using Add or Remove programs in the Control Panel.

2. Restart your computer (very important).

3. Download and run this utility.

4. It will ask to restart your computer (please allow it to).

5. After the computer restarts, install the latest version from here.

Note: You will need to reactivate the program using the license you were sent via e-mail if you purchased it.

Try updating MBAM and running a Quick Scan now; post its log

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

I followed all of the instructions below. I was able to uninstall malwarebytes, and reinstall from the location you specified, but was unable to update to the current version. It gave me the same 732 (0,0) error code. The following is the quick scan log, the Combofix log. Although when I went to run a new HJT log and double clicked on the icon it gave me the following error "Illegal operation attempted on a registry key that has been marked for deletion". I also tried to reinstall HJT from the flash drive that I had loaded it onto and got the same error.

Malwarebytes' Anti-Malware 1.40

Database version: 2551

Windows 6.0.6002 Service Pack 2

8/24/2009 9:23:24 PM

mbam-log-2009-08-24 (21-23-24).txt

Scan type: Quick Scan

Objects scanned: 90521

Time elapsed: 5 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Combo fix log

ComboFix 09-08-24.05 - Dave 08/24/2009 22:33.1.2 - NTFSx86

Microsoft

Link to post
Share on other sites

I followed all of the instructions below. I was able to uninstall malwarebytes, and reinstall from the location you specified, but was unable to update to the current version. It gave me the same 732 (0,0) error code. The following is the quick scan log, the Combofix log. Although when I went to run a new HJT log and double clicked on the icon it gave me the following error "Illegal operation attempted on a registry key that has been marked for deletion". I also tried to reinstall HJT from the flash drive that I had loaded it onto and got the same error.

Malwarebytes' Anti-Malware 1.40

Database version: 2551

Windows 6.0.6002 Service Pack 2

8/24/2009 9:23:24 PM

mbam-log-2009-08-24 (21-23-24).txt

Scan type: Quick Scan

Objects scanned: 90521

Time elapsed: 5 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Combo fix log

ComboFix 09-08-24.05 - Dave 08/24/2009 22:33.1.2 - NTFSx86

Microsoft

Link to post
Share on other sites

  • Staff

Restart your computer and see if the the "Illegal operation..." messages still come up.

Update SAS, run a scan, and post its log please.

Next, please run a GMER Rootkit scan:

Download GMER's application from here:

http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe

Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.

This will copy the results to your clipboard.

Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

-screen317

Link to post
Share on other sites

Restart your computer and see if the the "Illegal operation..." messages still come up.

Update SAS, run a scan, and post its log please.

Next, please run a GMER Rootkit scan:

Download GMER's application from here:

http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe

Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.

This will copy the results to your clipboard.

Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

-screen317

I was able to restart my laptop and the error did go away. I was able to update SuperAntispyware to the latest version and run a scan. SAS was run with McAfee active. It found instances of Trojan.Agent/Gen-DDNS and quarantined and deleted the two instances and rebooted. I downloaded the gmer file and unzipped and double and started gmer.exe. It started the scan ( I did stop it and restarted the scan because it only picked the C: drive and not the D: and G: drive) I then restarted it after selecting those drives. It then crashed after several seconds. I tried to restart the gmer.exe and got the BSOD.

I was able to shut it down after the BSOD and reboot my laptop though. I did not try to restart gmer.exe a third time. I have not tried to open anything else or run anything else as I don't want to try anything that you do not know about.

Here is the scan from SAS

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 08/25/2009 at 08:06 PM

Application Version : 4.27.1002

Core Rules Database Version : 4071

Trace Rules Database Version: 2011

Scan type : Quick Scan

Total Scan Time : 00:35:21

Memory items scanned : 669

Memory threats detected : 1

Registry items scanned : 481

Registry threats detected : 0

File items scanned : 26966

File threats detected : 1

Trojan.Agent/Gen-DDNS

C:\PROGRAM FILES\DDNSFILTER\DDNSFILTER.DLL

C:\PROGRAM FILES\DDNSFILTER\DDNSFILTER.DLL

I appreciate your help keep it coming.

Dave

Link to post
Share on other sites

  • Staff

Hi Dave,

1. Uninstall Malwarebytes' Anti-Malware using Add or Remove programs in the Control Panel.

2. Restart your computer (very important).

3. Download and run this utility.

4. It will ask to restart your computer (please allow it to).

5. After the computer restarts, install the latest version from here.

Note: You will need to reactivate the program using the license you were sent via e-mail if you purchased it.

Update it, run a Quick Scan, and post its log.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-screen317

Link to post
Share on other sites

Hi Dave,

1. Uninstall Malwarebytes' Anti-Malware using Add or Remove programs in the Control Panel.

2. Restart your computer (very important).

3. Download and run this utility.

4. It will ask to restart your computer (please allow it to).

5. After the computer restarts, install the latest version from here.

Note: You will need to reactivate the program using the license you were sent via e-mail if you purchased it.

Update it, run a Quick Scan, and post its log.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-screen317

Okay after I replied last time I know I said I wouldn't do anything before I heard from you, but I did update Mbam and did a scan. Here is the log:

Malwarebytes' Anti-Malware 1.40

Database version: 2702

Windows 6.0.6002 Service Pack 2

8/26/2009 9:21:56 PM

mbam-log-2009-08-26 (21-21-56).txt

Scan type: Quick Scan

Objects scanned: 93673

Time elapsed: 6 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DnsFilter (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ddnsfilter (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\ddnsfilter (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\DDnsFilter (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:

C:\Windows\system32\Drivers\DnsFilter.sys (Worm.KoobFace) -> Quarantined and deleted successfully.

C:\WINDOWS\0535251103110107106.yux (KoobFace.Trace) -> Quarantined and deleted successfully.

The Koobface one was one that was found with one of the very early scans. I then followed your instructions and after reloading Mbam I did another scan and it found nothing. I then scanned with F-Secure and the following is the log:

Scanning Report

Thursday, August 27, 2009 23:50:02 - 00:30:08

Computer name: DAVE-PC

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ D:\ E:\

--------------------------------------------------------------------------------

4 malware found

TrackingCookie.2o7 (spyware)

System (Disinfected)

TrackingCookie.Doubleclick (spyware)

System (Disinfected)

TrackingCookie.Revsci (spyware)

System (Disinfected)

TrackingCookie.Webtrends (spyware)

System (Disinfected)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 76536

System: 3763

Not scanned: 16

Actions:

Disinfected: 4

Renamed: 0

Deleted: 0

Not cleaned: 0

Submitted: 0

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM

C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB

C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB

C:\BOOT\BCD

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

--------------------------------------------------------------------------------

I then did your security check and the following is that log:

Results of screen317's Security Check version 0.98.9

Windows Vista Service Pack 2

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

McAfee VirusScan Enterprise

Antivirus up to date!

``````````````````````````````

Anti-malware/Other Utilities Check:

SUPERAntiSpyware Free Edition

Malwarebytes' Anti-Malware

HijackThis 2.0.2

Java 6 Update 15

Java SE Runtime Environment 6

Java 6 Update 7

Out of date Java installed!

Adobe Flash Player 10

``````````````````````````````

Process Check:

objlist.exe by Laurent

McAfee VirusScan Enterprise shstat.exe

Windows Defender MSASCui.exe

``````````````````````````````

DNS Vulnerability Check:

Unknown. This method cannot test your vulnerability to DNS cache poisoning.

`````````End of Log```````````

I did everything from this last email from the laptop itself and was not redirected. I also did a google search and clicked on one of the results and was not redirected at that point either. Although I am still not sure if I am done, because that Koobface worm came back after Mbam caught it on the scan on 8/20/09 the day I started this thread and then again when I did the scan last night.

Thanks again,

Dave

Link to post
Share on other sites

  • Staff

Great to hear Dave. :)

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

3) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

6) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.