Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google Redirection, all browsers acting slowly

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Google Redirection, all browsers acting slowly

Unread postby Gary R » April 3rd, 2011, 10:55 am

Looks like the TDL Rootkit is still present.

Download OTL by OldTimer to your Desktop.

Alternative Download

If you already have a copy of OTL delete it and use this version.

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:Files
C:\Users\Alex\AppData\Local\cspiena.dll
C:\Users\Alex\AppData\Local\temp\rnewaomsxc.exe
C:\Users\Alex\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\42cc9baf-6632dd0d
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\hxn0.jar

:Commands
[emptytemp]
[emptyflash]
[resethosts]

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

Next

  • Download aswMBR.exe to your desktop.
  • Double click aswMBR.exe to run it
Image
  • Click the SCAN button to start the scan.
Image
  • On completion of the scan click SAVE LOG and save it to your desktop.
  • Post the log contents in your next reply please.

Do not attempt to fix anything with aswMBR.exe yet

Summary of the logs I need from you in your next post:
  • OTL log
  • aswMBR.exe log


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Re: Google Redirection, all browsers acting slowly

Unread postby AlexG2490 » April 5th, 2011, 1:07 am

Here you are!

otl.txt
All processes killed
========== FILES ==========
C:\Users\Alex\AppData\Local\cspiena.dll moved successfully.
C:\Users\Alex\AppData\Local\temp\rnewaomsxc.exe moved successfully.
C:\Users\Alex\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\42cc9baf-6632dd0d moved successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\hxn0.jar moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Alex
->Temp folder emptied: 60863107 bytes
->Temporary Internet Files folder emptied: 218905265 bytes
->Java cache emptied: 8306 bytes
->FireFox cache emptied: 100678775 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 7634944 bytes
->Flash cache emptied: 100261 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LogMeInRemoteUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4557953 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 375.00 mb


[EMPTYFLASH]

User: Alex
->Flash cache emptied: 0 bytes

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LogMeInRemoteUser

User: Public

Total Flash Files Cleaned = 0.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.22.3 log created on 04032011_140204

Files\Folders moved on Reboot...
C:\Users\Alex\AppData\Local\Temp\VGXAF43.tmp moved successfully.

Registry entries deleted on Reboot...


aswMBR.txt
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-04 23:05:21
-----------------------------
23:05:21.737 OS Version: Windows 6.0.6002 Service Pack 2
23:05:21.737 Number of processors: 2 586 0x6B02
23:05:21.739 ComputerName: ALEX-PC UserName: Alex
23:05:27.782 Initialize success
23:05:53.337 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000065
23:05:53.340 Disk 0 Vendor: WDC_WD16 08.0 Size: 152627MB BusType: 3
23:05:53.343 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000066
23:05:53.345 Disk 1 Vendor: Hitachi_ GM4O Size: 476940MB BusType: 3
23:05:55.369 Disk 0 MBR read successfully
23:05:55.372 Disk 0 MBR scan
23:05:57.377 Disk 0 scanning sectors +312578048
23:05:57.410 Disk 0 scanning C:\Windows\system32\drivers
23:06:03.465 Service scanning
23:06:05.565 Disk 0 trace - called modules:
23:06:05.576 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8501f1f8]<<
23:06:05.579 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x861c1ac8]
23:06:05.583 3 CLASSPNP.SYS[889c78b3] -> nt!IofCallDriver -> [0x858dbf08]
23:06:05.587 5 acpi.sys[881346bc] -> nt!IofCallDriver -> \Device\00000065[0x850e5b20]
23:06:05.593 \Driver\nvstor32[0x850cbdd8] -> IRP_MJ_CREATE -> 0x8501f1f8
23:06:05.598 Scan finished successfully
AlexG2490
Regular Member
 
Posts: 30
Joined: March 22nd, 2011, 10:35 pm

Re: Google Redirection, all browsers acting slowly

Unread postby Gary R » April 5th, 2011, 1:56 am

Well the aswMBR scan is saying you don't have a TDL infection, so ..... How is your computer behaving now ?
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Google Redirection, all browsers acting slowly

Unread postby AlexG2490 » April 6th, 2011, 9:35 am

It seems to be running well. I hadn't tried anything video or processor intensive before yesterday night so I loaded up a game and ran it. Performance seems good. Redirection is no longer happening on my search results, my browsers and other programs launch quickly, and my windows look alright again.

Would it be prudent to run aswMBR again (maybe in safemode) just to verify its results? Also, a question about the bottom section of the ESET log:

C:\Qoobox\Quarantine\C\Users\Alex\AppData\Roaming\0AA35AA340E408D76C950D7A0C838F79\enemies-names.txt.vir Win32/Adware.AntimalwareDoctor.AE.Gen application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Users\Alex\AppData\Roaming\0AA35AA340E408D76C950D7A0C838F79\local.ini.vir Win32/Adware.AntimalwareDoctor.AE.Gen application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Alex\AppData\Local\cspiena.dll a variant of Win32/Cimag.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Alex\AppData\Local\temp\rnewaomsxc.exe a variant of Win32/Cimag.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Alex\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\42cc9baf-6632dd0d probably a variant of Java/Agent.AF trojan (unable to clean) 00000000000000000000000000000000 I
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\hxn0.jar a variant of Java/TrojanDownloader.Agent.NAL trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\02092011_074510\C_Users\Alex\AppData\Roaming\BC3FC61EBD2390BE003660698B68EBA6\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\02092011_074510\C_Users\Alex\AppData\Roaming\BC3FC61EBD2390BE003660698B68EBA6\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application (unable to clean) 00000000000000000000000000000000 I


I see the scanner is still finding traces of AntiMalwareDoctor... Is that something to worry about or are these not a concern because they have already been found and quarantined?
AlexG2490
Regular Member
 
Posts: 30
Joined: March 22nd, 2011, 10:35 pm

Re: Google Redirection, all browsers acting slowly

Unread postby Gary R » April 6th, 2011, 3:39 pm

Have you run a new E-Set scan since the last one, or is the log section you've just posted the one you posted earlier? ...... PLEASE LET ME KNOW

We did not remove the Qoobox and _OTL\Moved file objects found by E-set because they are encrypted quarantine files created by Combofix and OTL, they cannot re-infect you and we will remove them when we remove Combofix and OTL.

The other files we removed with OTL and your last OTL log says they were moved successfully.

aswMBR was not designed to run in Safe Mode, it was designed to run in Normal Mode.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Google Redirection, all browsers acting slowly

Unread postby AlexG2490 » April 7th, 2011, 12:24 am

No, I have not run E-Set again; I don't do anything unless you tell me to :). I was just quoting the earlier log a second time because I saw the name of the program that started this whole mess in the log... so I didn't understand how ESET could see it but aswMBR said I was free and clear. Thanks, that makes more sense now. Sorry I wasn't clear.

How do you suggest we proceed, or are we finished?
AlexG2490
Regular Member
 
Posts: 30
Joined: March 22nd, 2011, 10:35 pm

Re: Google Redirection, all browsers acting slowly

Unread postby Gary R » April 7th, 2011, 2:38 am

Since your latest logs appear clear, and your computer appears to be operating normally again, I think we must assume you're now clean of infection.

Time for a little tidying up, then I'll make a few suggestions about security.

First

Let's clear out OTL and the files and folders it created. This will also remove TDSSKiller.
  • Double click OTL.exe to launch the programme.
  • Click on the CleanUp! button.
  • OTL will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
  • You will be prompted to allow the clean up procedure, click Yes
  • When finished exit out of OTL
  • Now delete OTL.exe (if still present).

Next

Please delete the following files ....

CKScanner.exe ... and any log files it created.
aswMBR.exe ... and any log files it created.
DDS.scr ... and any log files it created.


Next

Earlier on you disabled Win Patrol

To Re-enable WinPatrol.
  • Click Start, Programs > All Programs > WinPatrol > WinPatrol
  • Right Click the Scotty icon in your task bar and select Options.
  • Check Automatically run Win Patrol when computer starts
  • Close the Win Patrol window.

As far as I can see, your computer looks clear of infection now.

Are you still noticing any problems ?
  • If you are let me know about them.
  • If not it's time to make your computer more secure.

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.

If your computer is running slowly after your clean up, please read.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Google Redirection, all browsers acting slowly

Unread postby Gary R » April 9th, 2011, 1:45 am

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 122 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware