Jump to content

Malware causing google redirect in firefox, IE will not run

MNdude34
 Share

Recommended Posts

MNdude34

MNdude34

Posted
Posted

Hello,

I offered to fix my father's PC for him and have done considerable clean up work on my own. However, there is still an infection that is disabling IE, and causing a re-direct of www.google.com in firefox. I have no idea what to do next. I followed the instructions in the sticky and came across a problem while running GMER - the computer shutdown unexpectedly and rebooted itself. So I am posting my MBAM and DDR logs and I will wait for further instructions. Thank you for your help on this issue.

MBAM:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4182

Windows 6.0.6002 Service Pack 2 (Safe Mode)

Internet Explorer 8.0.6001.18904

6/8/2010 11:49:44 PM

mbam-log-2010-06-08 (23-49-44).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 293761

Time elapsed: 59 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS:

DDS (Ver_10-03-17.01) - NTFSx86

Run by LeeAnn at 17:58:11.49 on Thu 06/10/2010

Internet Explorer: 8.0.6001.18928

Microsoft

Attach.zip

Link to post
Share on other sites
Elise

Elise

Posted
Posted

Hello ,

And :angry: My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites
MNdude34

MNdude34

Posted
  • Author
Posted
Hello ,

And :) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Hello, thank you for your assistance. Please see my ComboFix log below.

ComboFix Log:

ComboFix 10-06-13.01 - LeeAnn 06/13/2010 16:52:32.1.2 - x86

Microsoft

Link to post
Share on other sites
Elise

Elise

Posted
Posted

Hello there,

That looks a lot better already :)

How are things running now? What problems do you still have left (first run the fix below, then look for remaining problems).

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

Folder::
c:\programdata\yazabozo
c:\programdata\majayude
c:\programdata\bozikuyo

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts]

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites
MNdude34

MNdude34

Posted
  • Author
Posted

Windows Update worked as it should! Here is the MBAM full scan log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4198

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18928

6/14/2010 6:30:07 PM

mbam-log-2010-06-14 (18-30-07).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 290906

Time elapsed: 1 hour(s), 15 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites
Elise

Elise

Posted
Posted

Well done :)

Lets do one last check. Please let me know if there are any problems left.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    2. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    3. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    4. Check esetAcceptTerms.png
    5. Click the esetStart.png button.
    6. Accept any security warnings from your browser.
    7. Check esetScanArchives.png
    8. Push the Start button.
    9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    10. When the scan completes, push esetListThreats.png
    11. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      Note - when ESET doesn't find any threats, no report will be created.
    12. Push the esetBack.png button.
    13. Push esetFinish.png

Link to post
Share on other sites
MNdude34

MNdude34

Posted
  • Author
Posted

C:\ProgramData\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined

C:\ProgramData\fuworudo\odurowuf.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\ProgramData\fuzadule\eludazuf.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\ProgramData\hagokoze\ezokogah.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\ProgramData\jawidepe\epediwaj.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\ProgramData\kayezera\arezeyak.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\ProgramData\kokuluga\agulukok.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\ProgramData\kusunumi\imunusuk.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\ProgramData\kuwotiso\ositowuk.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\ProgramData\lajihuga\aguhijal.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\ProgramData\meberomu\umorebem.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\ProgramData\nujeripa\apirejun.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\ProgramData\sokajuji\ijujakos.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\ProgramData\yapiyizo\oziyipay.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\ProgramData\majayude\eduyajam.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\ProgramData\yazabozo\ozobazay.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\Users\LeeAnn\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components\FFTextLinks.dll probably a variant of Win32/Adware.Gamevance.AG application cleaned by deleting - quarantined

Link to post
Share on other sites
Elise

Elise

Posted
Posted

Hi there,

That was some leftover vundo together with files from combofix quarantine/system restore, which is good news :)

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS and GMER (this is a random named file).

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept