squinky86 Posted August 27, 2011 ID:470075 Share Posted August 27, 2011 I just read the part where we're not supposed to post a reply to our topic, so I'm consolidating it here. Please feel free to remove my previous topic here: http://forums.malwarebytes.org/index.php?showtopic=93801My friend dropped off his computer. Malware Bytes found 6 threats and cleaned them. After a reset, things appeared to be working better, but search results still redirect.Details:Windows XP SP3hosts file is cleanaffects all browsers (IE, FF 6, Chrome)Using firebug, the 200 OK "response" I receive from the remote server (and it looks like it's coming from the correct url) when I click on a link in google/yahoo is as follows (note that the "action" will often change, but the myform.submit() function is always the same):<html><body><form id="mfrm" name="myform" action="http://www.yahsmin.com" method="post"><input type="hidden" name="url" value="http://clickcertain.org/go.php?id=acd763a6e47c55d93bbf4eb7fa6cc982&aid=531&said=direc30&lastpage=BxsbH1VAQBgYGEEIAAAIAwpBDAACQBxQBwNSCgFJHBoIChcfUgwCHB9JDB9SVkkIHDAGC1IZSRcHHVIbSR5SHB4aBgEEFldZSR8JUh9JHAwDBgoBG1IfHBZJHAYbClJJHAAaHQwKUgcfSR8NF1JeSQAeUkkOHlJJDh4GUkkOHgNSSQgcMBwCUkkIHDAaHwNSSQ0OGVIAAUFdQwAdQR0wCAxBHTAfGEFJCR9SWV4MDVxdDQtWX1hfXF8NV0kNBhhSXl5aXUkNBgdSW1ldSRsMB1JeSQoMB1JZSR8cBlInJx82Ox8FKShCCQxfPig%2BFyEGOysuQV5cXltbXV5bWl1YV15BXQ%3D%3D"></form><script type="text/javascript">document.forms["myform"].submit();</script></body></html>Attached are the following files:dds.txtgmer.loghijackthis.logmbam-log-2011-08-25*.txt - results where malicious things were detectedmbam-log-2011-08-26*.txt - results after cleaningComboFix.txtDomain name information for the clickcertain.org site, just in case it changes:Domain Name:CLICKCERTAIN.ORGCreated On:16-Jul-2011 20:15:37 UTCLast Updated On:16-Jul-2011 21:08:18 UTCExpiration Date:16-Jul-2012 20:15:37 UTCSponsoring Registrar:Bizcn.com, Inc. (R1248-LROR)Status:CLIENT TRANSFER PROHIBITEDStatus:TRANSFER PROHIBITEDRegistrant ID:orgjt10847334897Registrant Name:Jackson TrinityRegistrant Organization:JacksonTrinityRegistrant Street1:1354 Corista DriveRegistrant Street2:Registrant Street3:Registrant City:HendersonRegistrant State/Province:NVRegistrant Postal Code:89052Registrant Country:USRegistrant Phone:+1.7022700647Registrant Phone Ext.:Registrant FAX:+1.7022700647Registrant FAX Ext.:Registrant Email:jacksontrinity@hotmailbox.comAdmin ID:orgjt10847335104Admin Name:Jackson TrinityAdmin Organization:JacksonTrinityAdmin Street1:1354 Corista DriveAdmin Street2:Admin Street3:Admin City:HendersonAdmin State/Province:NVAdmin Postal Code:89052Admin Country:USAdmin Phone:+1.7022700647Admin Phone Ext.:Admin FAX:+1.7022700647Admin FAX Ext.:Admin Email:jacksontrinity@hotmailbox.comTech ID:orgjt10847335562Tech Name:Jackson TrinityTech Organization:JacksonTrinityTech Street1:1354 Corista DriveTech Street2:Tech Street3:Tech City:HendersonTech State/Province:NVTech Postal Code:89052Tech Country:USTech Phone:+1.7022700647Tech Phone Ext.:Tech FAX:+1.7022700647Tech FAX Ext.:Tech Email:jacksontrinity@hotmailbox.comName Server:NS1.CLICKCERTAIN.ORGName Server:NS2.CLICKCERTAIN.ORGJust tried ESET Online. Problem is still here, but these are the results (and I'm curious why MSSE and McAfee didn't catch them):C:\Program Files\AWS\WeatherBug\Install\WxBugSetup60b6.04.0.9m.EXE a variant of Win32/AdInstaller application deleted - quarantinedC:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2161\A0213562.EXE a variant of Win32/AdInstaller application deleted - quarantinedC:\WINDOWS\SYSTEM32\dosaxapp.dll a variant of Win32/Urlbot.NAN trojan cleaned by deleting - quarantineddds.txtgmer.loghijackthis.logmbam-log-2011-08-25 (19-19-13).txtmbam-log-2011-08-26 (20-56-55).txtComboFix.txt Link to post Share on other sites More sharing options...
Staff screen317 Posted August 29, 2011 Staff ID:470790 Share Posted August 29, 2011 Hi and welcome to Malwarebytes.I notice that you are using more than one antivirus program (AVG and Microsoft). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.Please don't attach logs. Copy and paste them instead.Next, update MBAM, run a Quick Scan, and post its log. Grab a fresh copy of ComboFix, run it, and post its log. Also post a fresh DDS log.Are you currently connected through a router? Link to post Share on other sites More sharing options...
Staff screen317 Posted September 18, 2011 Staff ID:476984 Share Posted September 18, 2011 Are you still with us? This topic will be closed in a few days if we do not hear back from you. Link to post Share on other sites More sharing options...
Staff screen317 Posted October 10, 2011 Staff ID:483986 Share Posted October 10, 2011 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts