Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Suspected keylogger and browser redirect

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Suspected keylogger and browser redirect

Unread postby Vino Rosso » February 9th, 2010, 5:50 pm

Brood wrote:The document was named cleannavi.txt not fixnavi, so maybe I didn't select the right option. I selected 1 Search / Automatic Cleaning.

Thanks... no, you ran the correct option.

The reason I asked you to run that scan is that I have seen an infection called Navipromo that redirects to French sites. Of course, the redirect you had may be because you're in France :)

As yet, there is no sign of a keylogger on your system. There are a few 'security' holes to plug if you're happy to do that?
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)
Advertisement
Register to Remove

Re: Suspected keylogger and browser redirect

Unread postby Brood » February 9th, 2010, 6:51 pm

Vino Rosso wrote:There are a few 'security' holes to plug if you're happy to do that?


Yes, sure.
Brood
Regular Member
 
Posts: 18
Joined: January 30th, 2010, 10:46 am

Re: Suspected keylogger and browser redirect

Unread postby Vino Rosso » February 12th, 2010, 8:25 am

Hi

Apologies for the delay

1 - Update Java
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system.
Please follow these steps to remove older version Java components and update Java to the latest version:
  • Download the latest version of the Offline Installation of Java Runtime Environment (JRE) Version 6 for Windows and save it to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs.
  • Search for and check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove all Java versions.
  • Using Windows Explorer, open the C:\Program Files folder and delete the Java folder (so delete the C:\Program Files\Java folder)
  • Reboot your computer once all Java components are removed.
  • Then double-click on jre-6u18-windows-i586-s.exe to install the latest version.
    If using Windows Vista or Windows 7 and the installer refuses to launch due to insufficient user permissions, then right-click on the file name as select Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
    If offered to install a Toolbar, just UNcheck the box before continuing unless you want it.
Notes:
  1. From Java 6 update 10 onwards, the uninstaller uses Enhanced Auto update to remove the previous version automatically when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
  2. Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.
  3. The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
    To disable the JQS service, if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and UNcheck the box for Java Quick Starter.
    Click OK and reboot your computer.
  4. Successful installation can be checked at http://java.com/en/download/installed.jsp

2 - Upload a File to Virustotal
I'd like to be certain about the content of a file / some files.
  • Highlight all the following in purple and press Ctrl+C on your keyboard to copy
  • E:\Documents and Settings\Barry\Desktop\mvjvsng3.exe
  • Please click >here< to visit Virustotal
  • Click into the blank box on the Virus Total page and press Ctrl+V on your keyboard to paste
  • Click the Send File button
  • Copy and paste the Virustotal results back here please

3 - Run Fix With OTL
Highlight the following in the code box and press Ctrl+C on the keyboard
Make sure you include the first colon (:)

Code: Select all
:OTL
MOD - E:\Documents and Settings\Barry\Local Settings\Application Data\esentclbClient\esentclbClient.dll ()
DRV - (epmntdrv) -- E:\WINDOWS\system32\epmntdrv.sys ()
O4 - HKCU..\Run: [esentclbClient] File not found

:reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"E:\Program Files\Steam\Steam.exe"=-
"E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"=-
"E:\Program Files\Steam\steamapps\liquidsun\team fortress 2\hl2.exe"=-
"E:\Program Files\Steam\steamapps\common\arma 2\arma2.exe"=-
"D:\Program Files\Dragon Age Origins Character Creator\bin_ship\DAOCharacterCreator.exe"=-
"D:\Program Files\Dragon Age Origins Character Creator\DAOriginsLauncher.exe"=-
"E:\Program Files\Steam\steamapps\common\empire total war\Empire.exe"=-
"E:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe"=-
"E:\Program Files\Steam\steamapps\common\overlord\Overlord.exe"=-
"E:\Program Files\Steam\steamapps\common\overlord\Config.exe"=-
"E:\Program Files\Steam\steamapps\common\overlord ii\Overlord2.exe"=-
"E:\Program Files\Steam\steamapps\common\overlord ii\Config.exe"=-
"E:\Program Files\Steam\steamapps\common\plants vs zombies\PlantsVsZombies.exe"=-
"E:\Program Files\Steam\steamapps\common\osmos\osmos.exe"=-
"E:\Program Files\Steam\steamapps\common\trine\trine_launcher.exe"=-
"E:\Program Files\Steam\steamapps\common\swkotor\swkotor.exe"=-
"E:\Program Files\Steam\steamapps\common\evil genius\EvilGeniusLauncher.exe"=-
"E:\Program Files\Steam\steamapps\common\dawn of war gold\W40kWA.exe"=-
"E:\Program Files\Steam\steamapps\common\dawn of war gold\W40k.exe"=-
"E:\Program Files\Steam\steamapps\common\company of heroes\help.htm"=-
"E:\Program Files\Steam\steamapps\common\company of heroes\RelicCOH.exe"=-
"G:\D\GAMES DIR\CALLOFJUAREZ\COJBIBGAME_X86.EXE"=-
"E:\Program Files\Steam\steamapps\common\mirrors edge\Binaries\MirrorsEdge.exe"=-
"E:\Program Files\Steam\steamapps\common\dawn of war dark crusade\darkcrusade.exe"=-
"E:\Program Files\Steam\steamapps\common\dawn of war soulstorm\soulstorm.exe"=-
"E:\Program Files\Steam\steamapps\common\stalker shadow of chernobyl\bin\XR_3DA.exe"=-
"E:\Program Files\Steam\steamapps\common\left 4 dead 2\left4dead2.exe"=-
"C:\Steam\steamapps\common\empire total war\Empire.exe"=-
"C:\Steam\steamapps\common\shattered_horizon\client_exe\shattered_horizon.exe"=-

:commands
[EmptyTemp]



Double-click on the OTL.exe file to start OTL. OK any warning about running OTL.
Click in the Custom Scans/Fixes box at the bottom of the OTL window
Press Ctrl+V to paste the above code in the box (check that the code appears)
Click the Run Fix button
Please post the resulting log.

Thanks
Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Re: Suspected keylogger and browser redirect

Unread postby Brood » February 12th, 2010, 2:51 pm

Hi

The Java section was followed to the letter.

VirusTotal Results below:

MD5: f80f6e09e7f4bafe478ca0da6137e1e2
First received: 2009.12.15 10:56:33 UTC
Date: 2010.02.12 16:11:30 UTC [<1D]
Results: 3/40
Permalink: analisis/682fd0d13d7caf4b17a1eb9bafa0a3c3598139bb3623d3f5fba3bfbd0a6d424a-1265991090

=========================================================================================================

OTL Results:

All processes killed
========== OTL ==========
Service epmntdrv stopped successfully!
Service epmntdrv deleted successfully!
E:\WINDOWS\system32\epmntdrv.sys moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\esentclbClient deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\Steam.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\steamapps\liquidsun\team fortress 2\hl2.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\steamapps\common\arma 2\arma2.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\Program Files\Dragon Age Origins Character Creator\bin_ship\DAOCharacterCreator.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\Program Files\Dragon Age Origins Character Creator\DAOriginsLauncher.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\steamapps\common\empire total war\Empire.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\steamapps\common\overlord\Overlord.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\steamapps\common\overlord\Config.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\steamapps\common\overlord ii\Overlord2.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\steamapps\common\overlord ii\Config.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\steamapps\common\plants vs zombies\PlantsVsZombies.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\steamapps\common\osmos\osmos.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\steamapps\common\trine\trine_launcher.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\steamapps\common\swkotor\swkotor.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\steamapps\common\evil genius\EvilGeniusLauncher.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\steamapps\common\dawn of war gold\W40kWA.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\steamapps\common\dawn of war gold\W40k.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\steamapps\common\company of heroes\help.htm deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\steamapps\common\company of heroes\RelicCOH.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\G:\D\GAMES DIR\CALLOFJUAREZ\COJBIBGAME_X86.EXE deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\steamapps\common\mirrors edge\Binaries\MirrorsEdge.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\steamapps\common\dawn of war dark crusade\darkcrusade.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\steamapps\common\dawn of war soulstorm\soulstorm.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\steamapps\common\stalker shadow of chernobyl\bin\XR_3DA.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\Steam\steamapps\common\left 4 dead 2\left4dead2.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Steam\steamapps\common\empire total war\Empire.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Steam\steamapps\common\shattered_horizon\client_exe\shattered_horizon.exe deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Barry
->Temp folder emptied: 189941456 bytes
->Temporary Internet Files folder emptied: 919461328 bytes
->Java cache emptied: 51070959 bytes
->FireFox cache emptied: 49760238 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 82772 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 12981022 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 4729297659 bytes

Total Files Cleaned = 5,679.00 mb


OTL by OldTimer - Version 3.1.28.0 log created on 02122010_194540

Files\Folders moved on Reboot...
E:\Documents and Settings\Barry\Local Settings\Temp\WCESLog.log moved successfully.

Registry entries deleted on Reboot...
Brood
Regular Member
 
Posts: 18
Joined: January 30th, 2010, 10:46 am

Re: Suspected keylogger and browser redirect

Unread postby Vino Rosso » February 12th, 2010, 3:14 pm

Hi

Thanks for posting the logs.

I'm trying to discover what the mvjvsng3.exe file is. Do you recognise it?

Can you please upload the file here: http://www.bleepingcomputer.com/submit- ... channel=36
And, if you don't recognise it, please delete it.

How is the computer now running?
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Re: Suspected keylogger and browser redirect

Unread postby Brood » February 12th, 2010, 3:44 pm

Hi Vino

I still get the odd redirection, usually to google but sometimes to other ad sites.


Yes it's GMER from this post:



Gmer
Download GMER Rootkit Scanner from here.

Please physically disconnect from the internet and disable the computer's security programs as these may interfere with GMER.

* Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
* If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO << Important!

Image
Click the image to enlarge it
* In the right panel, you will see several boxes that have been checked. UNcheck the following ...
o UNcheck Sections
o UNcheck IAT/EAT
o UNcheck Drives/Partition other than Systemdrive (typically C:\)
o UNcheck Show All (don't miss this one)
* Then click the Scan button & wait for it to finish
* Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
* Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.

Re-enable the computer's security programs and connect to the internet.

To post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log
Brood
Regular Member
 
Posts: 18
Joined: January 30th, 2010, 10:46 am

Re: Suspected keylogger and browser redirect

Unread postby Vino Rosso » February 12th, 2010, 5:08 pm

Funny that... I suspected GMER but looked at my copy and saw a larger file size. Now, of course, I realise I haven't run it so was looking at the installation file.

Can you please remind me, do you get these occasional re-directs with more than one browser?
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Re: Suspected keylogger and browser redirect

Unread postby Brood » February 12th, 2010, 7:23 pm

I only use firefox really, the odd time I use IE (testing website layouts) I never get a problem. Recently I've been using IE a few times a day. With firefox I will only get redirected once or twice a day bearing in mind I browse a lot during any given day.
Brood
Regular Member
 
Posts: 18
Joined: January 30th, 2010, 10:46 am

Re: Suspected keylogger and browser redirect

Unread postby Vino Rosso » February 13th, 2010, 5:19 am

If it's *just* Firefox, let's try the following:

Please download GooredFix from one of the locations below and save it to your Desktop
>Download Mirror #1<
>Download Mirror #2<

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Re: Suspected keylogger and browser redirect

Unread postby Brood » February 13th, 2010, 6:55 am

GooredFix by jpshortstuff (08.01.10.1)
Log created at 11:54 on 13/02/2010 (Barry)
Firefox version 3.5.7 (en-GB)

========== GooredScan ==========


========== GooredLog ==========

E:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [07:22 08/10/2009]
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [10:13 13/10/2009]
{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [18:43 12/02/2010]

E:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\hwpdatzi.default\extensions\
en-GB @ dictionaries.addons.mozilla.org [11:59 16/12/2009]
firebug @ software.joehewitt.com [11:18 09/02/2010]
LogMeInClient @ logmein.com [13:08 21/11/2009]
{20a82645-c095-46ed-80e3-08825760534b} [08:26 08/10/2009]
{3d7eb24f-2740-49df-8937-200b1cc08f8a} [14:06 30/01/2010]
{73a6fe31-595d-460b-a920-fcc0f8843232} [16:58 05/02/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="E:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [20:09 27/09/2009]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="E:\Program Files\AVG\AVG9\Firefox" [07:36 05/01/2010]
"jqs@sun.com"="E:\Program Files\Java\jre6\lib\deploy\jqs\ff" [18:43 12/02/2010]

-=E.O.F=-
Brood
Regular Member
 
Posts: 18
Joined: January 30th, 2010, 10:46 am

Re: Suspected keylogger and browser redirect

Unread postby Vino Rosso » February 13th, 2010, 9:03 am

Nothing there... we're not having much luck!

Re-directs can also be caused by modified a Hosts file but, rather than occasional, the redirects would be constant and also happen with Firefox and IE.

With nothing showing up, my next suggestion would be to create a new Firefox profile then, if you continue to get the occasional redirect, uninstalling and re-installing Firefox.
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Re: Suspected keylogger and browser redirect

Unread postby Brood » February 13th, 2010, 9:10 am

Ok then Vino, thanks very much for your help!

If you're ever near Cognac France I'll buy you a beer! :)
Brood
Regular Member
 
Posts: 18
Joined: January 30th, 2010, 10:46 am

Re: Suspected keylogger and browser redirect

Unread postby Vino Rosso » February 13th, 2010, 9:31 am

Brood wrote:Ok then Vino, thanks very much for your help!

If you're ever near Cognac France I'll buy you a beer! :)

You're welcome! :occasion5:

A few things to tidy up...

1 - OTL Last Run
Please re-run OTL and click the 'CleanUp' button
Please OK any warnings and let the program proceed its clean up routine.
At the end the program will ask to let it reboot the computer. Let it do so.
Let me know if there were any problems with OTL.

2 - Protection Programs
Don't forget to re-enable any protection programs you may have disabled during your fix.

3 - General Security and Computer Health
When downloading *ANY* file, especially from social networking, file sharing, and gaming sites or receiving an unexpected attachment in an email, do the following:
  1. Download the file into a separate folder of its own
  2. Scan the file with your antivirus program and an online scanner such as Kaspersky
  3. Check the file name and size on Google
    NB Make sure to have the complete file name. Malware commonly uses tricks such as picture.jpg.exe
  4. If there is *anything* suspicious, delete the file immediately. It's not worth wrecking your computer
Below are some steps to follow in order to dramatically lower the chances of reinfection.
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.
  1. Clear Infected System Restore Points ~ Not required if combofix /Uninstall command has been run
    • Turn System Restore off
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Check Turn off System Restore on all drives.
    • Click Apply, and then click OK.
    Restart your computer
    • Turn System Restore on
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Uncheck Turn off System Restore on all drives.
    • Click Apply
    • Click each drive in turn where system restore is not required and click Settings
      Note: System restore is only needed on drives with an operating system installed
    • For each drive without an operating system, check Turn off system restore on this drive, click Yes then click OK.
    Note: Reset system restore just this once, and not on a regular basis
  2. Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software. Good antivirus programs will update themselves as least daily.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  3. Install and use a firewall with outbound protection
    The Windows XP firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
    Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
  4. Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC.
    Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the >Microsoft Update site< on a regular basis.
    Note: The update process uses ActiveX, so you will need to use Internet Explorer and allow the ActiveX control to install.
  5. Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the >Secunia Software Inspector< - I suggest that you run it at least once a month
  6. Make Internet Explorer More Secure
    Click Start > Run > type inetcpl.cpl > OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected and click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
    Further information for IE7 can be found >here<

    Next, if they're not already present, I would recommend the download and installation of some or all of the following programs, and the updating of them on a regular basis:

  7. Anti-Spyware
    Anti-Spyware is NOT the same thing as antivirus. Different anti-spyware programs detect different things so having more than one program is OK however you should only have ONE program running and use others 'on demand'. Having more than one running *may* cause conflicts but will certainly slow the computer down.
    Malwarebytes' Anti-Malware: >Information< and is available from >here<
    Spybot Search & Destroy: >Information< and is available from >here<
    a-squared Free: >Information< and is available from >here<
    Note: If you have a dialup internet connection, you may also like to install >a-squared Anti-Dialer< which provides some real time protection against premium rate dialers.
  8. Prevention
    These programs are designed to help stop malware getting on to your computer. Each does a different job so having more than one is OK.
    WinPatrol: As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. >Information<, >features<, and >download<
    Hosts File: For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is >here< and for more information regarding host files read >here<
    SpywareBlaster: SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see >here< and you can download SpywareBlaster from >here<
  9. Cleaning Temporary Internet Files and Tracking Cookies
    Temporary Internet Files are mainly the files that are stored on your computer when you open a web page. If the web site you visit is of a dubious nature or has been hacked, the files can be an entry point for malware. It is a good idea to empty the Temporary Internet Files folder on a regular basis.

    Tracking Cookies are files that web sites use to monitor which sites you visit, when, and how often. Some anti-spyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION:- If you delete all your cookies, you will lose any autologin information for web sites that you visit, and will need to re-enter your passwords for those sites.

    Both temporary internet files and tracking cookies can be cleaned manually but a quicker option is to use a program:
    >ATF Cleaner< Free and very simple to use.
    >CCleaner< Free and very flexible, you can choose which cookies to keep.
  10. It is absolutely essential to keep all of your security programs up to date.
Safe Computing
Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Re: Suspected keylogger and browser redirect

Unread postby NonSuch » February 16th, 2010, 1:08 am

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 60 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware