Jump to content

Random Browser Redirect

ddjmagic

By ddjmagic
in Resolved Malware Removal Logs

 Share

Recommended Posts

LDTate

LDTate

Posted
Posted

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.

When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:

Double-click on the Folder Options icon.

Click on the View tab.

If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.

Click on Show Hidden Files or Folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Next:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    explorer.exe


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites
ddjmagic

ddjmagic

Posted
  • Author
Posted

SystemLook 04.09.10 by jpshortstuff

Log created at 00:23 on 19/11/2010 by derek

Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"

C:\Windows\explorer.exe --a---- 2923520 bytes [00:06 19/11/2010] [09:45 02/11/2006] 2774A3141A1FFEBA09C87463C84B2FAF

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe --a---- 2923520 bytes [08:47 02/11/2006] [09:45 02/11/2006] FD8C53FB002217F6F888BCF6F5D7084D

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe --a---- 2923520 bytes [23:50 19/10/2007] [23:50 19/10/2007] 6D06CD98D954FE87FB2DB8108793B399

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe --a---- 2923520 bytes [12:26 10/12/2008] [06:20 29/10/2008] 37440D09DEAE0B672A04DCCF7ABF06BE

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe --a---- 2923520 bytes [23:50 19/10/2007] [23:50 19/10/2007] BD06F0BF753BC704B653C3A50F89D362

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe --a---- 2923520 bytes [12:26 10/12/2008] [02:15 28/10/2008] E7156B0B74762D9DE0E66BDCDE06E5FB

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe --a---- 2927104 bytes [16:42 23/09/2008] [07:33 19/01/2008] FFA764631CB70A30065C12EF8E174F9F

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe --a---- 2927104 bytes [12:26 10/12/2008] [06:29 29/10/2008] 4F554999D7D5F05DAAEBBA7B5BA1089D

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe --a---- 2927616 bytes [12:26 10/12/2008] [03:59 30/10/2008] 50BA5850147410CDE89C523AD3BC606E

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe --a---- 2926592 bytes [13:45 24/09/2009] [06:27 11/04/2009] D07D4C3038F3578FFCE1C0237F2A1253

-= EOF =-

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text. 

KillAll::

File::
C:\fun.com


Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"=""

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Please go to http://virusscan.jotti.org, click on Browse, and upload the following file for analysis:

c:\windows\Explorermgr.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If virscan.org is too busy you can try these.

http://virscan.org/

http://www.kaspersky.com/scanforvirus.html

http://www.virustotal.com/en/indexf.html

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

I'm going to be headed to bed very soon but will check back in the morning.

You could have a W32/Ramnit infection and might now be able to cure it.

http://www.eset.eu/online-scanner

Go here to run an online scannner from ESET.

Click the green ESET Online Scanner button.

Read the End User License Agreement and check the box: YES, I accept the Terms of Use.

Click on the Start button next to it.

You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.

A new window will appear asking "Do you want to install this software?"".

Answer Yes to download and install the ActiveX controls that allows the scan to run.

Click Start.

Check Remove found threats and Scan potentially unwanted applications.

Click Scan to begin.

If offered the option to get information or buy software. Just close the window.

Wait for the scan to finish

Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic.

Link to post
Share on other sites
ddjmagic

ddjmagic

Posted
  • Author
Posted

Its 6 hours into the scan and about 2/3 of the way through, its been stuck on one file on the recovery partition for about an hour.

So far it has found 27,438 infected files, all W32/Ramnit, it looks like its infected pretty much everywhere :)

I'll let it run a bit longer to see if it can get past that file and finish the scan.

Link to post
Share on other sites
ddjmagic

ddjmagic

Posted
  • Author
Posted

Scan completed - 27,349 found, 27,424 deleted.

The log is too big to post here - here's the items it was unable to delete-

C:\Windows\explorer.exe Win32/Bamital.ER trojan (unable to clean) 00000000000000000000000000000000 I

C:\Windows\explorer.old Win32/Bamital.ER trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Windows\System32\wininit.exe Win32/Bamital.ER trojan (unable to clean) 00000000000000000000000000000000 I

C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6000.16386_none_ef216b8c52ca2227\Bears.htm Win32/Ramnit.A virus (error while cleaning) 00000000000000000000000000000000 I

C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6000.16386_none_ef216b8c52ca2227\Garden.htm Win32/Ramnit.A virus (error while cleaning) 00000000000000000000000000000000 I

C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6000.16386_none_ef216b8c52ca2227\Green Bubbles.htm Win32/Ramnit.A virus (error while cleaning) 00000000000000000000000000000000 I

C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6000.16386_none_ef216b8c52ca2227\Hand Prints.htm Win32/Ramnit.A virus (error while cleaning) 00000000000000000000000000000000 I

C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6000.16386_none_ef216b8c52ca2227\Orange Circles.htm Win32/Ramnit.A virus (error while cleaning) 00000000000000000000000000000000 I

C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6000.16386_none_ef216b8c52ca2227\Peacock.htm Win32/Ramnit.A virus (error while cleaning) 00000000000000000000000000000000 I

C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6000.16386_none_ef216b8c52ca2227\Roses.htm Win32/Ramnit.A virus (error while cleaning) 00000000000000000000000000000000 I

C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6000.16386_none_ef216b8c52ca2227\Shades of Blue.htm Win32/Ramnit.A virus (error while cleaning) 00000000000000000000000000000000 I

C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6000.16386_none_ef216b8c52ca2227\Soft Blue.htm Win32/Ramnit.A virus (error while cleaning) 00000000000000000000000000000000 I

C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6000.16386_none_ef216b8c52ca2227\Stars.htm Win32/Ramnit.A virus (error while cleaning) 00000000000000000000000000000000 I

${Memory} multiple threats 00000000000000000000000000000000 I

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted
all W32/Ramnit
I was afraid of that.

As far as I know there's no way of removing it other than a complete Re-Format.

If you have any data you need, you can copy it to an external device and hope nothing you need is infected.

The reformat is a complete format and not just a Windows repair install.

Link to post
Share on other sites
ddjmagic

ddjmagic

Posted
  • Author
Posted

Yeah, pretty much the whole of program files was infected and just about every HTML file on my PC.

A few questions - Will the USB flash drive that I have been using to copy between the 2 PC's be OK?

What would be the safest way of backing up my images/music etc, that aren't infected?

Would I be able to use the recovery partition to reinstall windows?

Thanks for your help!

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

A few questions -

Will the USB flash drive that I have been using to copy between the 2 PC's be OK?
It should be unless it was infected.
What would be the safest way of backing up my images/music etc, that aren't infected?
I don't know if they are infected or not, but I don't think so. If you have large files, etc., you might look into purchasing a external hard drive.
Would I be able to use the recovery partition to reinstall windows?
I don't know what options you will have with that but you need to reformat and start over.
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.