Jump to content

Search redirects, attempted popups, and other issues...


Minrad
 Share

Recommended Posts

So I had Noscript off for one dumb reason or another and got a pop-up from Megaupload; my system siezes up and I immediately suspect I probably have malware issues on my computer as anti-virus install warnings start popping up.

I installed Malwarebytes and it cleared out the majority of issues, but I'm still having random tabs attempt to open in firefox as well as IP addresses being blocked by Malwarebytes and attempts to redirect my google searches.

DDS.txt:

DDS (Ver_09-12-01.01) - NTFSx86

Run by Damian at 4:02:49.45 on Sun 02/21/2010

Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_07

Microsoft

Link to post
Share on other sites

Hello,

Do tell me if you are getting guided help on another forum? or you are self-medicating?

The reason I ask this --- the logs show a Combofix usage today --- February 21.

I'm not, but after looking at a few topics here from other users having similar problems I got cocky and figured I could just take care of this myself. :lol:

Link to post
Share on other sites

Using Combofix without expert guided help is very dangerous nuke.gif

Do NOT do any updates, changes, or adds in hardware or software while I am helping you. Similarly, do NOT run any tools or programs unless I ask you for it. Otherwise, I will recuse myself from this case. If you have questions, ask first.

De-install uTorrent ! and any other such app.

I do not recommend the use of such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.

File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

P2P file sharing: Know the risks

Cofirm you have removed all P-2-P apps

Given that this is a Vista system, on most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.

  • RIGHT click on RSIT.exe and then select "Run as Administrator" to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Link to post
Share on other sites

You will want to print out or copy these instructions to Notepad for offline reference!

Given that this is a Vista system, on most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

Let's have you get the Java runtime updated to the latest, and then run an online scan at ESET.

Step 1

javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java Platform Standard Edition"
  • Click the "Download JRE" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "Java SE Runtime Environment 6u18 with JavaFX 1 License Agreement . ". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Start button > in Start menu -- Control Panel > Uninstall a Program (listed under Programs).
    {In Classic view, double click Program and features}.
    and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • De-intall/Remove each of the following
    Java 6 Update 4
    Java 6 Update 6
    Java 6 Update 7
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) javaicon.gif
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

Small tweaks for Java runtime, since most all users do not need to load Java at each Windows startup:

Click Advanced Tab. Expand the Miscellaneous item.

UN-check the line Java quick starter

If you want to also un-check the "Check for updates automatically" you may:

Click the Update tab. un-check the line if it is checked.

Press Apply then OK. Close the applet when done.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_18 from Sun Microsystems Inc.

Step 2

Temporarily disable your antivirus. Do not turn off the firewall. See this reference

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

You will want to print out or copy these instructions to Notepad for offline reference!

Close all open browsers at this point.

Start Internet Explorer (fresh) by pressing Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

Using Internet Explorer browser only, go to ESET Online Scanner website:

http://www.eset.com/onlinescan/

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://www.eset.com/onlinescan/cac4.php?page=faq

    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
    • Do not use the system while the scan is running. Once the full scan is underway, go take a long break popcorn.gifpepsi.gif

Step 3

De-install the HijackThis program currently installed. Start button > in Start menu -- Control Panel > Uninstall a Program (listed under Programs).

{In Classic view, double click Program and features}.

RE-Enable your AntiVirus and AntiSpyware applications.

Download the HijackThis Installer

Save the HJT Installer to your desktop or the folder of your choice, then navigate to that folder and double-click Hijackthis.msi to start the installation.

When the Trend Micro HJT install box appears, click Install.

HijackThis (HJT) will be installed in the C:\Program Files\Trend Micro\HijackThis folder by default and a desktop shortcut will be created.

Next, start HijackThis. Do a "Scan and Save log".

Post back with copies of the the Eset scan log and

HijackThis log.

How is your system now icon_question.gif

There will be more to do.

Link to post
Share on other sites

ESET log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=a9c25399255efc4596ef03329368e2a0

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-02-23 04:55:36

# local_time=2010-02-23 10:55:36 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=6.0.6001 NT Service Pack 1

# compatibility_mode=512 16777215 100 0 58906740 58906740 0 0

# compatibility_mode=768 16777215 100 0 10452611 10452611 0 0

# compatibility_mode=6143 16777215 0 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=219747

# found=2

# cleaned=2

# scan_time=2823

C:\Users\Damian\AppData\Roaming\Thinstall\Microsoft Office Enterprise 2007\1000000e00002h\rundll32.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\Damian\AppData\Roaming\Thinstall\Microsoft Office Enterprise 2007\300000007100002h\ODSERV.EXE probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

HJT log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 11:01:00 AM, on 2/23/2010

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe

C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\WLan\WLAN Optimizer.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Windows Media Player\WMPSideShowGadget.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"

O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"

O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE

O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [WLAN Optimizer] C:\Program Files\WLan\WLAN Optimizer.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll

O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe

O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe

O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\Win32\RpcDataSrv.exe

O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\RpcSandraSrv.exe

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe

O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

--

End of file - 5664 bytes

I assume it's safe to delete the quarantined items from the ESET scan? Not touching them for now.

RE: System;

Still having malicious IPs being blocked by Malwarebytes while browsing the web.

Link to post
Share on other sites

2 files were removed by the ESET scan. You don't need to remove anything.

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Reply with copy of Checkup.txt

and look for a log on your C drive named Combofix.txt { C:\Combofix.txt }

if found, then Copy and Paste the contents of that, too.

Which sites are you browsing when you get a malicious IP notice?

Does that happen in IE browser or Firefox ---- one or both?

Also, Be certain this system has no peer-to-peer filesharing apps !

Link to post
Share on other sites

Checkup.txt:

Results of screen317's Security Check version 0.99.1

Windows Vista Service Pack 1 (UAC is disabled!)

Out of date service pack!!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

WMIC entry does not exist for antivirus; attempting automatic update.

``````````````````````````````

Anti-malware/Other Utilities Check:

Spybot - Search & Destroy

SUPERAntiSpyware Free Edition

TuneUp Utilities 2008

Java 6 Update 18

Java Auto Updater

Out of date Java installed!

Adobe Flash Player 10

``````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSMpEng.exe

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

I didn't have any logs saved by Combofix in the C:\ drive.

As for the sites, I get notifications about IPs being blocked on some page loads and refreshes, and it's guaranteed to come up if I try to google something and then click a link. I get the notifications while using internet explorer or firefox or both.

I'm very sure that uTorrent was the only p2p I had installed, and I uninstalled it already.

Link to post
Share on other sites

The system doesn't appear to have an installed antivirus program. You must have one.

Job 1 for you is to install one.

If cost is an issue,

Get either Microsoft Security Essentials http://www.microsoft.com/security_essentials/

or

Avira AntiVir from http://www.free-av.com

or

Avast http://www.avast.com/index

Install. Then logoff and restart system. Rerun Securitycheck again. Reply with copy of Checkup.txt

Having an AV is a must. Never go on the internet without it.

The AV will not cure the issue you see with the blocked ip's.

Link to post
Share on other sites

I had MSE installed but I forgot to reenable the active protection after turning it off for one of the steps a few days ago; I tried reenabling it and rebooting but it still doesn't seem to show up in the Checkup log.

Results of screen317's Security Check version 0.99.1

Windows Vista Service Pack 1 (UAC is disabled!)

Out of date service pack!!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

WMIC entry does not exist for antivirus; attempting automatic update.

``````````````````````````````

Anti-malware/Other Utilities Check:

Spybot - Search & Destroy

SUPERAntiSpyware Free Edition

TuneUp Utilities 2008

Java 6 Update 18

Java Auto Updater

Out of date Java installed!

Adobe Flash Player 10

``````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSMpEng.exe

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Link to post
Share on other sites

Ok. As long as MSE is active, I won't worry.

Now, then, to issue of IP blocked prompts: as long as there are no malware onboard, and you have no peer-to-peer apps, and you are only seeing these occasionaly when surfing...... then...

read, review, study this sub-topic by Ron on IP blocks

http://forums.malwarebytes.org/index.php?s...mp;#entry162100

Consider using the silentipmode

Link to post
Share on other sites

I'm reading through it and the silent IP blocking will be very helpful; it's mostly the notification that annoys me.

However, occasionally some IPs aren't being blocked and a popup or redirect will open up (although the web page itself is blocked by NoScript); is there any way I can add these IPs to the auto blocker as well?

Link to post
Share on other sites

is there any way I can add these IPs to the auto blocker as well?
Not with the current MBAM version.

Let's give this a try, to have you use the MVP Hosts file --that blocks a lot of unsavory & unfriendly sites + ad sites too.

Get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm

Steps to follow for the MVP Hosts file:

1) Download and SAVE the zip file to a temporary folder

2) Unzip (extract the contents) in the same folder

3) After extract is complete, run mvps.bat batch file. This copies your pre-existing Hosts file to Hosts.mvp in the folder where Windows' Hosts resides

typically, C:\WINDOWS\system32\drivers\etc

and after that copy is saved, it replaces the old Hosts with the new one.

And you should see (in the blue background command window) the following:

_________________________________________________
Link to post
Share on other sites

@Rhiana,

You must start your own post. This one here is for member Minrad only.

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Please post there Gmer.txt log

the DDS logs and MBAM log

Don't post your logs here.

Link to post
Share on other sites

Cleanups / removals

Start button > in Start menu -- Control Panel > Uninstall a Program (listed under Programs).

{In Classic view, double click Program and features}.

Look for ESET Online and click the line for it. Select Change/Remove to de-install it.

Also de-install HijackThis

OK & Exit out of Control Panel

I see that you are clear of your original issues.

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

  • Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe
  • Please RIGHT-click OTL.exe otlDesktopIcon.png and select Run As Administrator to start it.
  • Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.

We are finished here. Best regards.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.