Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Search being redirected to ad sites

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Re: Search being redirected to ad sites

Unread postby californiastreet » February 4th, 2010, 9:48 pm

Hi Carolyn,

My computer seems to be fixed now! My search results are not being redirected anymore!!

I am cured?

Below are the results of the two logs you requested:

mbr Log:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

TDSSKiller Log:
17:35:14:906 6516 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
17:35:14:906 6516 ================================================================================
17:35:14:906 6516 SystemInfo:

17:35:14:906 6516 OS Version: 5.1.2600 ServicePack: 3.0
17:35:14:906 6516 Product type: Workstation
17:35:14:906 6516 ComputerName: MFPDT095
17:35:14:906 6516 UserName: Ryan
17:35:14:906 6516 Windows directory: C:\WINDOWS
17:35:14:906 6516 Processor architecture: Intel x86
17:35:14:906 6516 Number of processors: 2
17:35:14:906 6516 Page size: 0x1000
17:35:14:906 6516 Boot type: Normal boot
17:35:14:906 6516 ================================================================================
17:35:14:921 6516 UnloadDriverW: NtUnloadDriver error 2
17:35:14:921 6516 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
17:35:14:921 6516 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
17:35:14:937 6516 UtilityInit: KLMD drop and load success
17:35:14:937 6516 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
17:35:14:937 6516 UtilityInit: KLMD open success
17:35:14:937 6516 UtilityInit: Initialize success
17:35:14:937 6516
17:35:14:937 6516 Scanning Services ...
17:35:14:937 6516 CreateRegParser: Registry parser init started
17:35:14:937 6516 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
17:35:14:937 6516 CreateRegParser: DisableWow64Redirection error
17:35:14:937 6516 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
17:35:14:937 6516 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
17:35:14:937 6516 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:35:14:937 6516 wfopen_ex: Trying to KLMD file open
17:35:14:937 6516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
17:35:14:937 6516 wfopen_ex: File opened ok (Flags 2)
17:35:14:937 6516 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 274C88
17:35:14:937 6516 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
17:35:14:937 6516 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
17:35:14:937 6516 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:35:14:937 6516 wfopen_ex: Trying to KLMD file open
17:35:14:937 6516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
17:35:14:937 6516 wfopen_ex: File opened ok (Flags 2)
17:35:14:937 6516 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 274D30
17:35:14:937 6516 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
17:35:14:937 6516 CreateRegParser: EnableWow64Redirection error
17:35:14:937 6516 CreateRegParser: RegParser init completed
17:35:15:203 6516 GetAdvancedServicesInfo: Raw services enum returned 313 services
17:35:15:203 6516 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
17:35:15:203 6516 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
17:35:15:203 6516
17:35:15:203 6516 Scanning Kernel memory ...
17:35:15:203 6516 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
17:35:15:203 6516 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 89E4C6D0
17:35:15:203 6516 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
17:35:15:203 6516
17:35:15:203 6516 DetectCureTDL3: DEVICE_OBJECT: 89E12758
17:35:15:203 6516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89E12758
17:35:15:203 6516 KLMD_ReadMem: Trying to ReadMemory 0x89E12758[0x38]
17:35:15:203 6516 DetectCureTDL3: DRIVER_OBJECT: 89E4C6D0
17:35:15:203 6516 KLMD_ReadMem: Trying to ReadMemory 0x89E4C6D0[0xA8]
17:35:15:203 6516 KLMD_ReadMem: Trying to ReadMemory 0xE14CE170[0x18]
17:35:15:203 6516 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:35:15:203 6516 DetectCureTDL3: IrpHandler (0) addr: BA0FEBB0
17:35:15:203 6516 DetectCureTDL3: IrpHandler (1) addr: 804F4562
17:35:15:203 6516 DetectCureTDL3: IrpHandler (2) addr: BA0FEBB0
17:35:15:203 6516 DetectCureTDL3: IrpHandler (3) addr: BA0F8D1F
17:35:15:203 6516 DetectCureTDL3: IrpHandler (4) addr: BA0F8D1F
17:35:15:203 6516 DetectCureTDL3: IrpHandler (5) addr: 804F4562
17:35:15:203 6516 DetectCureTDL3: IrpHandler (6) addr: 804F4562
17:35:15:203 6516 DetectCureTDL3: IrpHandler (7) addr: 804F4562
17:35:15:203 6516 DetectCureTDL3: IrpHandler (8) addr: 804F4562
17:35:15:203 6516 DetectCureTDL3: IrpHandler (9) addr: BA0F92E2
17:35:15:203 6516 DetectCureTDL3: IrpHandler (10) addr: 804F4562
17:35:15:203 6516 DetectCureTDL3: IrpHandler (11) addr: 804F4562
17:35:15:203 6516 DetectCureTDL3: IrpHandler (12) addr: 804F4562
17:35:15:203 6516 DetectCureTDL3: IrpHandler (13) addr: 804F4562
17:35:15:203 6516 DetectCureTDL3: IrpHandler (14) addr: BA0F93BB
17:35:15:203 6516 DetectCureTDL3: IrpHandler (15) addr: BA0FCF28
17:35:15:203 6516 DetectCureTDL3: IrpHandler (16) addr: BA0F92E2
17:35:15:203 6516 DetectCureTDL3: IrpHandler (17) addr: 804F4562
17:35:15:203 6516 DetectCureTDL3: IrpHandler (18) addr: 804F4562
17:35:15:203 6516 DetectCureTDL3: IrpHandler (19) addr: 804F4562
17:35:15:203 6516 DetectCureTDL3: IrpHandler (20) addr: 804F4562
17:35:15:203 6516 DetectCureTDL3: IrpHandler (21) addr: 804F4562
17:35:15:203 6516 DetectCureTDL3: IrpHandler (22) addr: BA0FAC82
17:35:15:203 6516 DetectCureTDL3: IrpHandler (23) addr: BA0FF99E
17:35:15:203 6516 DetectCureTDL3: IrpHandler (24) addr: 804F4562
17:35:15:203 6516 DetectCureTDL3: IrpHandler (25) addr: 804F4562
17:35:15:203 6516 DetectCureTDL3: IrpHandler (26) addr: 804F4562
17:35:15:203 6516 TDL3_FileDetect: Processing driver: Disk
17:35:15:203 6516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:35:15:203 6516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:35:15:250 6516 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:35:15:250 6516
17:35:15:250 6516 DetectCureTDL3: DEVICE_OBJECT: 89E11030
17:35:15:250 6516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89E11030
17:35:15:250 6516 KLMD_ReadMem: Trying to ReadMemory 0x89E11030[0x38]
17:35:15:250 6516 DetectCureTDL3: DRIVER_OBJECT: 89E4C6D0
17:35:15:250 6516 KLMD_ReadMem: Trying to ReadMemory 0x89E4C6D0[0xA8]
17:35:15:250 6516 KLMD_ReadMem: Trying to ReadMemory 0xE14CE170[0x18]
17:35:15:250 6516 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:35:15:250 6516 DetectCureTDL3: IrpHandler (0) addr: BA0FEBB0
17:35:15:250 6516 DetectCureTDL3: IrpHandler (1) addr: 804F4562
17:35:15:250 6516 DetectCureTDL3: IrpHandler (2) addr: BA0FEBB0
17:35:15:250 6516 DetectCureTDL3: IrpHandler (3) addr: BA0F8D1F
17:35:15:250 6516 DetectCureTDL3: IrpHandler (4) addr: BA0F8D1F
17:35:15:250 6516 DetectCureTDL3: IrpHandler (5) addr: 804F4562
17:35:15:250 6516 DetectCureTDL3: IrpHandler (6) addr: 804F4562
17:35:15:250 6516 DetectCureTDL3: IrpHandler (7) addr: 804F4562
17:35:15:250 6516 DetectCureTDL3: IrpHandler (8) addr: 804F4562
17:35:15:250 6516 DetectCureTDL3: IrpHandler (9) addr: BA0F92E2
17:35:15:250 6516 DetectCureTDL3: IrpHandler (10) addr: 804F4562
17:35:15:250 6516 DetectCureTDL3: IrpHandler (11) addr: 804F4562
17:35:15:250 6516 DetectCureTDL3: IrpHandler (12) addr: 804F4562
17:35:15:250 6516 DetectCureTDL3: IrpHandler (13) addr: 804F4562
17:35:15:250 6516 DetectCureTDL3: IrpHandler (14) addr: BA0F93BB
17:35:15:250 6516 DetectCureTDL3: IrpHandler (15) addr: BA0FCF28
17:35:15:250 6516 DetectCureTDL3: IrpHandler (16) addr: BA0F92E2
17:35:15:250 6516 DetectCureTDL3: IrpHandler (17) addr: 804F4562
17:35:15:250 6516 DetectCureTDL3: IrpHandler (18) addr: 804F4562
17:35:15:250 6516 DetectCureTDL3: IrpHandler (19) addr: 804F4562
17:35:15:250 6516 DetectCureTDL3: IrpHandler (20) addr: 804F4562
17:35:15:250 6516 DetectCureTDL3: IrpHandler (21) addr: 804F4562
17:35:15:250 6516 DetectCureTDL3: IrpHandler (22) addr: BA0FAC82
17:35:15:250 6516 DetectCureTDL3: IrpHandler (23) addr: BA0FF99E
17:35:15:250 6516 DetectCureTDL3: IrpHandler (24) addr: 804F4562
17:35:15:250 6516 DetectCureTDL3: IrpHandler (25) addr: 804F4562
17:35:15:250 6516 DetectCureTDL3: IrpHandler (26) addr: 804F4562
17:35:15:250 6516 TDL3_FileDetect: Processing driver: Disk
17:35:15:250 6516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:35:15:250 6516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:35:15:250 6516 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:35:15:250 6516
17:35:15:250 6516 DetectCureTDL3: DEVICE_OBJECT: 89DEA848
17:35:15:250 6516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89DEA848
17:35:15:250 6516 DetectCureTDL3: DEVICE_OBJECT: 89E3CB00
17:35:15:250 6516 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89E3CB00
17:35:15:250 6516 KLMD_ReadMem: Trying to ReadMemory 0x89E3CB00[0x38]
17:35:15:250 6516 DetectCureTDL3: DRIVER_OBJECT: 89DE48B0
17:35:15:250 6516 KLMD_ReadMem: Trying to ReadMemory 0x89DE48B0[0xA8]
17:35:15:250 6516 KLMD_ReadMem: Trying to ReadMemory 0x89DE8030[0x38]
17:35:15:250 6516 KLMD_ReadMem: Trying to ReadMemory 0x89DD0250[0xA8]
17:35:15:250 6516 KLMD_ReadMem: Trying to ReadMemory 0xE10169E0[0x1A]
17:35:15:250 6516 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
17:35:15:250 6516 DetectCureTDL3: IrpHandler (0) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (1) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (2) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (3) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (4) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (5) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (6) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (7) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (8) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (9) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (10) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (11) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (12) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (13) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (14) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (15) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (16) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (17) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (18) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (19) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (20) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (21) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (22) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (23) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (24) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (25) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: IrpHandler (26) addr: 89D74618
17:35:15:250 6516 DetectCureTDL3: All IRP handlers pointed to one addr: 89D74618
17:35:15:250 6516 KLMD_ReadMem: Trying to ReadMemory 0x89D74618[0x400]
17:35:15:250 6516 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
17:35:15:250 6516 Driver "atapi" Irp handler infected by TDSS rootkit ... 17:35:15:250 6516 KLMD_WriteMem: Trying to WriteMemory 0x89D7467D[0xD]
17:35:15:250 6516 cured
17:35:15:250 6516 KLMD_ReadMem: Trying to ReadMemory 0x89D744BF[0x400]
17:35:15:250 6516 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
17:35:15:250 6516 Driver "atapi" StartIo handler infected by TDSS rootkit ... 17:35:15:250 6516 TDL3_StartIoHookCure: Number of patches 1
17:35:15:250 6516 KLMD_WriteMem: Trying to WriteMemory 0x89D745B6[0x6]
17:35:15:250 6516 cured
17:35:15:250 6516 TDL3_FileDetect: Processing driver: atapi
17:35:15:250 6516 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
17:35:15:250 6516 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
17:35:15:265 6516 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
17:35:15:265 6516 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 17:35:15:265 6516 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
17:35:15:265 6516 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
17:35:15:265 6516 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab
17:35:15:328 6516 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp2.cab
17:35:15:343 6516 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp3.cab
17:35:15:359 6516 CabinetCallback: Backup candidate found: atapi.sys:96512, extracting..
17:35:15:468 6516 CabinetCallback: File extracted successfully: C:\DOCUME~1\Ryan\LOCALS~1\Temp\bck34F.tmp
17:35:15:468 6516 ValidateDriverFile: Stage 1 passed
17:35:15:468 6516 ValidateDriverFile: Stage 2 passed
17:35:15:531 6516 DigitalSignVerifyByHandle: Embedded DS result: 800B0100
17:35:15:703 6516 DigitalSignVerifyByHandle: Cat DS result: 00000000
17:35:15:703 6516 ValidateDriverFile: Stage 3 passed
17:35:15:703 6516 CabinetCallback: File validated successfully, restore information prepared
17:35:15:703 6516 FindDriverFileBackup: Backup copy found in cab-file
17:35:15:703 6516 TDL3_FileCure: Backup copy found, using it..
17:35:15:703 6516 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tsk350.tmp
17:35:15:734 6516 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk350.tmp, system32\drivers\atapi.sys)
17:35:15:734 6516 TDL3_FileCure: KLMD jobs schedule success
17:35:15:734 6516 will be cured on next reboot
17:35:15:734 6516 UtilityBootReinit: Reboot required for cure complete..
17:35:15:750 6516 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
17:35:15:765 6516 UtilityBootReinit: KLMD drop success
17:35:15:765 6516 KLMD_ApplyPendList: Pending buffer(7A70_4A52, 608) dropped successfully
17:35:15:765 6516 UtilityBootReinit: Cure on reboot scheduled successfully
17:35:15:765 6516
17:35:15:765 6516 Completed
17:35:15:765 6516
17:35:15:765 6516 Results:
17:35:15:765 6516 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
17:35:15:765 6516 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:35:15:765 6516 File objects infected / cured / cured on reboot: 1 / 0 / 1
17:35:15:765 6516
17:35:15:765 6516 UnloadDriverW: NtUnloadDriver error 1
17:35:15:765 6516 KLMD_Unload: UnloadDriverW(klmd21) error 1
17:35:15:765 6516 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
17:35:15:765 6516 UtilityDeinit: KLMD(ARK) unloaded successfully
californiastreet
Active Member
 
Posts: 11
Joined: January 20th, 2010, 6:08 pm
Top
Advertisement
Register to Remove

Re: Search being redirected to ad sites

Unread postby Carolyn » February 6th, 2010, 12:58 pm

My computer seems to be fixed now! My search results are not being redirected anymore!!

I am cured?


Almost there... there is a bit more that needs to be cleaned up so please stay with me.

==============

Run a custom CFScript

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
KillAll::

File::
c:\windows\system32\X0C0F881TH.dat
c:\windows\system32\UP0G72RMXU.dat
c:\windows\system32\9B59X7KPIG.dat
c:\windows\system32\C9PYA5QZJ0.dat
c:\windows\system32\8DD2F1A00L.dat
c:\windows\system32\6MT0DMT445.dat
c:\windows\system32\E0RA0Q052O.dat
c:\windows\system32\T08W6N0Y08.dat
c:\windows\system32\NA0K2699QB.dat
c:\windows\system32\QMIOJ000U0.dat
c:\windows\system32\X94328J100.dat
c:\windows\system32\J37B74J600.dat
c:\windows\system32\0QET006DIH.dat
c:\windows\system32\B39G579NKB.dat
c:\windows\system32\100N060NPR.dat
c:\windows\system32\YH0WIDC185.dat
c:\windows\system32\5F6EFIND40.dat
c:\windows\system32\LLJO01SJN0.dat
c:\windows\system32\R8WZL005FB.dat
c:\windows\system32\1EJ0TX2KFD.dat
c:\windows\system32\XW020T0F9L.dat
c:\windows\system32\03CVQQDNHC.dat
c:\windows\system32\4CX30CO7Z3.dat
c:\windows\system32\M0508YLEUN.dat
c:\windows\system32\0J079U0FL8.dat
c:\windows\system32\WU4TXCXC4Y.dat
c:\windows\system32\W0LTVFFA86.dat
c:\windows\system32\0J3XO03C70.dat
c:\windows\system32\0T739Z0O0N.dat
c:\windows\system32\MFCD50QQG7.dat
c:\windows\system32\00PBPWQ0V.dat
c:\windows\system32\LW0ZG8ZVR0.dat
c:\windows\system32\96N9RB8NR.dat
c:\windows\system32\03DQ9HU4O0.dat
c:\windows\system32\XDG9F003T.dat
c:\windows\system32\00VFWLZKW7.dat
c:\windows\system32\Z0O090ZZT.dat
c:\windows\system32\BPZCZ0BC00.dat
c:\windows\system32\7V8TU7OB1.dat
c:\windows\system32\0I004W5150.dat
c:\windows\system32\00QJ00TZ2.dat
c:\program files\LimeWireWin.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

==============

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

==============

I see that you have Magic Jack installed. Is that a program that you use or would you like it to be removed from your computer?

Please post the following in your next reply:
  • The answer to my question regarding Magic Jack
  • The ComboFix log
  • The Kaspersky log
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine
Top

Re: Search being redirected to ad sites

Unread postby californiastreet » February 6th, 2010, 9:53 pm

Hi Carolyn,

Below are the two log files you requested. In response to your question, MagicJack is something that we do use or are planning to use to replace our home phone service once this computer is up and running again.

Log File from combofix:
ComboFix 10-02-03.04 - Ryan 02/06/2010 10:42:08.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1401 [GMT -8:00]
Running from: c:\documents and settings\Ryan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ryan\Desktop\CFScript.txt

FILE ::
"c:\program files\LimeWireWin.exe"
"c:\windows\system32\00PBPWQ0V.dat"
"c:\windows\system32\00QJ00TZ2.dat"
"c:\windows\system32\00VFWLZKW7.dat"
"c:\windows\system32\03CVQQDNHC.dat"
"c:\windows\system32\03DQ9HU4O0.dat"
"c:\windows\system32\0I004W5150.dat"
"c:\windows\system32\0J079U0FL8.dat"
"c:\windows\system32\0J3XO03C70.dat"
"c:\windows\system32\0QET006DIH.dat"
"c:\windows\system32\0T739Z0O0N.dat"
"c:\windows\system32\100N060NPR.dat"
"c:\windows\system32\1EJ0TX2KFD.dat"
"c:\windows\system32\4CX30CO7Z3.dat"
"c:\windows\system32\5F6EFIND40.dat"
"c:\windows\system32\6MT0DMT445.dat"
"c:\windows\system32\7V8TU7OB1.dat"
"c:\windows\system32\8DD2F1A00L.dat"
"c:\windows\system32\96N9RB8NR.dat"
"c:\windows\system32\9B59X7KPIG.dat"
"c:\windows\system32\B39G579NKB.dat"
"c:\windows\system32\BPZCZ0BC00.dat"
"c:\windows\system32\C9PYA5QZJ0.dat"
"c:\windows\system32\E0RA0Q052O.dat"
"c:\windows\system32\J37B74J600.dat"
"c:\windows\system32\LLJO01SJN0.dat"
"c:\windows\system32\LW0ZG8ZVR0.dat"
"c:\windows\system32\M0508YLEUN.dat"
"c:\windows\system32\MFCD50QQG7.dat"
"c:\windows\system32\NA0K2699QB.dat"
"c:\windows\system32\QMIOJ000U0.dat"
"c:\windows\system32\R8WZL005FB.dat"
"c:\windows\system32\T08W6N0Y08.dat"
"c:\windows\system32\UP0G72RMXU.dat"
"c:\windows\system32\W0LTVFFA86.dat"
"c:\windows\system32\WU4TXCXC4Y.dat"
"c:\windows\system32\X0C0F881TH.dat"
"c:\windows\system32\X94328J100.dat"
"c:\windows\system32\XDG9F003T.dat"
"c:\windows\system32\XW020T0F9L.dat"
"c:\windows\system32\YH0WIDC185.dat"
"c:\windows\system32\Z0O090ZZT.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\LimeWireWin.exe
c:\windows\system32\00PBPWQ0V.dat
c:\windows\system32\00QJ00TZ2.dat
c:\windows\system32\00VFWLZKW7.dat
c:\windows\system32\03CVQQDNHC.dat
c:\windows\system32\03DQ9HU4O0.dat
c:\windows\system32\0I004W5150.dat
c:\windows\system32\0J079U0FL8.dat
c:\windows\system32\0J3XO03C70.dat
c:\windows\system32\0QET006DIH.dat
c:\windows\system32\0T739Z0O0N.dat
c:\windows\system32\100N060NPR.dat
c:\windows\system32\1EJ0TX2KFD.dat
c:\windows\system32\4CX30CO7Z3.dat
c:\windows\system32\5F6EFIND40.dat
c:\windows\system32\6MT0DMT445.dat
c:\windows\system32\7V8TU7OB1.dat
c:\windows\system32\8DD2F1A00L.dat
c:\windows\system32\96N9RB8NR.dat
c:\windows\system32\9B59X7KPIG.dat
c:\windows\system32\B39G579NKB.dat
c:\windows\system32\BPZCZ0BC00.dat
c:\windows\system32\C9PYA5QZJ0.dat
c:\windows\system32\E0RA0Q052O.dat
c:\windows\system32\J37B74J600.dat
c:\windows\system32\LLJO01SJN0.dat
c:\windows\system32\LW0ZG8ZVR0.dat
c:\windows\system32\M0508YLEUN.dat
c:\windows\system32\MFCD50QQG7.dat
c:\windows\system32\NA0K2699QB.dat
c:\windows\system32\QMIOJ000U0.dat
c:\windows\system32\R8WZL005FB.dat
c:\windows\system32\T08W6N0Y08.dat
c:\windows\system32\UP0G72RMXU.dat
c:\windows\system32\W0LTVFFA86.dat
c:\windows\system32\WU4TXCXC4Y.dat
c:\windows\system32\X0C0F881TH.dat
c:\windows\system32\X94328J100.dat
c:\windows\system32\XDG9F003T.dat
c:\windows\system32\XW020T0F9L.dat
c:\windows\system32\YH0WIDC185.dat
c:\windows\system32\Z0O090ZZT.dat

.
((((((((((((((((((((((((( Files Created from 2010-01-06 to 2010-02-06 )))))))))))))))))))))))))))))))
.

2010-01-27 18:19 . 2009-12-12 02:05 3613560 ----a-w- c:\documents and settings\Ryan\Application Data\Simply Super Software\Trojan Remover\jta1.exe
2010-01-21 18:08 . 2009-12-12 02:05 3613560 ----a-w- c:\documents and settings\Ryan\Application Data\Simply Super Software\Trojan Remover\wwi11F.exe
2010-01-20 21:59 . 2010-01-20 21:59 388096 ----a-r- c:\documents and settings\Ryan\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-20 21:59 . 2010-01-20 21:59 -------- d-----w- c:\program files\TrendMicro
2010-01-20 21:02 . 2010-01-27 18:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-20 20:56 . 2006-06-19 20:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-01-20 20:56 . 2006-05-25 22:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-01-20 20:56 . 2005-08-26 08:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-01-20 20:56 . 2003-02-03 03:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-01-20 20:56 . 2002-03-06 08:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-01-20 20:56 . 2010-01-20 20:56 -------- d-----w- c:\program files\Trojan Remover
2010-01-20 20:56 . 2010-01-20 20:56 -------- d-----w- c:\documents and settings\Ryan\Application Data\Simply Super Software
2010-01-20 20:56 . 2010-01-20 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-01-14 19:07 . 2010-01-14 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-12 20:24 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-05 01:36 . 2004-08-04 10:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-05 19:10 . 2010-01-04 01:36 -------- d-----w- c:\documents and settings\Ryan\Application Data\mjusbsp
2010-01-05 10:00 . 2006-03-04 03:33 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-24 16:59 . 2009-12-24 16:59 93016 ----a-w- c:\documents and settings\Ryan\Application Data\mjusbsp\ug00000\magicJack.dll
2009-12-24 16:58 . 2010-01-05 19:10 6515976 ---ha-w- c:\documents and settings\Ryan\Application Data\mjusbsp\in00000\setup.exe
2009-12-24 16:58 . 2010-01-04 01:36 6515976 ---ha-w- c:\documents and settings\Ryan\Application Data\mjusbsp\Upgrade\setup1.exe
2009-12-24 16:58 . 2009-12-24 16:58 6515976 ----a-w- c:\documents and settings\Ryan\Application Data\mjusbsp\ug00000\setup.exe
2009-12-24 16:58 . 2009-12-24 16:58 416328 ----a-w- c:\documents and settings\Ryan\Application Data\mjusbsp\magicJackLoader.exe
2009-12-24 16:58 . 2009-12-24 16:58 480608 ----a-w- c:\documents and settings\Ryan\Application Data\mjusbsp\octvqe1_apiw.dll
2009-12-24 16:58 . 2009-12-24 16:58 214360 ----a-w- c:\documents and settings\Ryan\Application Data\mjusbsp\TjVista.dll
2009-12-24 16:58 . 2009-12-24 16:58 337240 ----a-w- c:\documents and settings\Ryan\Application Data\mjusbsp\TjIpSys.dll
2009-12-24 16:58 . 2009-12-24 16:58 607600 ----a-w- c:\documents and settings\Ryan\Application Data\mjusbsp\SJHandsetMagicJack.dll
2009-12-24 16:58 . 2009-12-24 16:58 87384 ----a-w- c:\documents and settings\Ryan\Application Data\mjusbsp\st00000\mjsetup.exe
2009-12-24 16:57 . 2009-12-24 16:57 93016 ----a-w- c:\documents and settings\Ryan\Application Data\mjusbsp\st00000\magicJack.dll
2009-12-24 16:57 . 2009-12-24 16:57 93016 ----a-w- c:\documents and settings\Ryan\Application Data\mjusbsp\magicJack.dll
2009-12-24 16:55 . 2009-12-24 16:55 12482904 ----a-w- c:\documents and settings\Ryan\Application Data\mjusbsp\magicJack.exe
2009-12-24 16:54 . 2010-01-05 19:10 730032 ---ha-w- c:\documents and settings\Ryan\Application Data\mjusbsp\ar00000\install.exe
2009-12-24 16:54 . 2010-01-04 01:36 730032 ---ha-w- c:\documents and settings\Ryan\Application Data\mjusbsp\Upgrade\install1.exe
2009-12-24 16:54 . 2009-12-24 16:54 730032 ----a-w- c:\documents and settings\Ryan\Application Data\mjusbsp\ug00000\install.exe
2009-12-24 16:53 . 2009-12-24 16:53 87384 ----a-w- c:\documents and settings\Ryan\Application Data\mjusbsp\in00000\mjsetup.exe
2009-12-24 16:53 . 2009-12-24 16:53 93016 ----a-w- c:\documents and settings\Ryan\Application Data\mjusbsp\in00000\magicJack.dll
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Ryan\Application Data\mjusbsp\ug00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Ryan\Application Data\mjusbsp\st00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Ryan\Application Data\mjusbsp\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Ryan\Application Data\mjusbsp\in00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 50520 ----a-w- c:\documents and settings\Ryan\Application Data\mjusbsp\cdloader2.exe
2009-12-17 18:21 . 2009-11-12 17:32 79488 ----a-w- c:\documents and settings\Ryan\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-21 15:51 . 2004-08-04 10:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-18 01:09 . 2009-11-18 01:09 25848 ---ha-w- c:\windows\system32\mlfcache.dat
2008-09-03 22:00 . 2008-09-03 22:00 486152 ----a-w- c:\program files\ChromeSetup.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-02-03_22.08.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-06 18:46 . 2010-02-06 18:46 16384 c:\windows\temp\Perflib_Perfdata_690.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Ryan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-21 135664]
"cdloader"="c:\documents and settings\Ryan\Application Data\mjusbsp\cdloader2.exe" [2009-12-24 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-07 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-07 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-07 94208]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"SpySweeperEnterprise"="c:\program files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.EXE" [2007-01-15 403520]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-10-18 1070984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Ryan\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-02-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1631258194-52696290-1074493836-2683Core.job
- c:\documents and settings\rpatterson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 22:00]

2010-02-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1631258194-52696290-1074493836-2683UA.job
- c:\documents and settings\rpatterson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 22:00]

2010-02-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-879983540-839522115-1006Core.job
- c:\documents and settings\Ryan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-21 20:18]

2010-02-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-879983540-839522115-1006UA.job
- c:\documents and settings\Ryan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-21 20:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-06 10:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\WRLogonNtf.DLL

- - - - - - - > 'explorer.exe'(5812)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\program files\Webroot\Enterprise\Spy Sweeper\commagent.exe
c:\program files\Webroot\Enterprise\Spy Sweeper\spysweeper.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-02-06 10:49:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-06 18:49
ComboFix2.txt 2010-02-03 22:12

Pre-Run: 60,602,888,192 bytes free
Post-Run: 60,566,720,512 bytes free

- - End Of File - - D7C276AC0C9D77A8C00C59AAD1CF0D1A

Kaspersky Log File:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, February 6, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, February 06, 2010 19:27:34
Records in database: 3442154
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 56161
Threats found: 5
Infected objects found: 10
Suspicious objects found: 0
Scan duration: 01:05:23


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\ovqac.exe.vir Infected: Packed.Win32.Katusha.k 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\e035mf2.dll.vir Infected: Packed.Win32.Katusha.j 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbdsock.dll.vir Infected: Trojan.Win32.Agent.deot 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mshlps.dll.vir Infected: Trojan.Win32.Agent.deou 1
C:\System Volume Information\_restore{EC67D0E9-B07D-49F5-8C6E-2A05F6015120}\RP1\A0000017.exe Infected: Packed.Win32.Katusha.k 1
C:\System Volume Information\_restore{EC67D0E9-B07D-49F5-8C6E-2A05F6015120}\RP1\A0000038.dll Infected: Packed.Win32.Katusha.j 1
C:\System Volume Information\_restore{EC67D0E9-B07D-49F5-8C6E-2A05F6015120}\RP1\A0000040.dll Infected: Trojan.Win32.Agent.deot 1
C:\System Volume Information\_restore{EC67D0E9-B07D-49F5-8C6E-2A05F6015120}\RP1\A0000041.dll Infected: Trojan.Win32.Agent.deou 1
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\53\4f6fda35-4254a76f Infected: Trojan-Downloader.Java.Agent.al 1
C:\WINDOWS\system32\gkgbgdgsgogcgkg Infected: Trojan.Win32.Agent.deot 1

Selected area has been scanned.
californiastreet
Active Member
 
Posts: 11
Joined: January 20th, 2010, 6:08 pm
Top

Re: Search being redirected to ad sites

Unread postby Carolyn » February 8th, 2010, 5:40 pm

Hello,

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following, if found, delete them:

C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\53\4f6fda35-4254a76f
C:\WINDOWS\system32\gkgbgdgsgogcgkg

====================

This is my general post for when your logs show no more signs of malware ;)- Please let me know if you still are having problems with your computer and what these problems are

Your log now appears to be clean. Congratulations!

    Delete ComboFix and Clean Up

    The following will implement some cleanup procedures as well as reset System Restore points:

    Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

    ComboFix /Uninstall

    Please advise if this step is missed for any reason as it performs some important actions.


    OTC

    Download OTC by Old Timer and save it to your Desktop.

    • Double-click OTC.exe
    • Click the CleanUp! button
    • Select Yes when the Begin cleanup Process? Prompt appears
    • If you are prompted to Reboot during the cleanup, select Yes
    • The tool will delete itself once it finishes, if not delete it by yourself

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.


    Protection Programs
    Don't forget to re-enable any protection programs we disabled during your fix.

    General Security and Computer Health
    Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

    • Set correct settings for files
      • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
      • Under Hidden files and folders if necessary select Do not show hidden files and folders.
      • If unchecked please check Hide protected operating system files (Recommended)
      • If necessary check Display content of system folders
      • If necessary Uncheck Hide file extensions for known file types.
      • Click OK


    • Make sure that you keep your antivirus updated
      New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
      Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

    • Security Updates for Windows, Internet Explorer & Microsoft Office
      Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
      Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.

    • Update Non-Microsoft Programs
      Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.

    • Make Internet Explorer More Secure
      You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE


    Recommended Programs

    I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

    • WinPatrol
      As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.

    • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

    • Malwarebytes' Anti-Malware or SuperAntiSpyware
      These are anti-malware applications that can thoroughly remove even the most advanced malware. They include a number of features, including a built in protection monitor that blocks malicious processes before they even start.
      You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE.
      You can download SuperAntiSpyware from HERE.

    • Hosts File
      For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.

      Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
      If this isn't done first, the next reboot may take a VERY LONG TIME.
      This is how to do it. First be sure you are signed in as a user with administrative privileges:
      Stop and Disable the DNS Client Service
      Go to Start, Run and type Services.msc and click OK.
      Under the Extended Tab, Scroll down and find this service.
      DNS Client
      Right-Click on the DNS Client Service. Choose Properties
      Select the General tab. Click on the Stop button.
      Click the Arrow-down tab on the right-hand side at the Start-up Type box.
      From the drop-down menu, click on Manual
      Click the Apply tab, then click OK


    • Use an alternative Internet Browser
      Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
      Firefox
      Opera


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine
Top

Re: Search being redirected to ad sites

Unread postby californiastreet » February 8th, 2010, 6:36 pm

Hi Carolyn,

THANKS SO MUCH FOR YOU HELP!!!!!

I found both of those files and deleted them from my computer. I have also cleaned up all of the program files that we used to clean up the computer.

Everything seems to be working perfectly now. I will continue to monitor things and let you know if anything suspicious starts happening. I have also read though much of the support articles and have implemented many of the techniques mentioned to further protect my computer.

I am definitely going to be making a donation to this organization as it was a total god send for me and want support the great cause that all of you moderators do on a daily basis. Thanks for sticking with me and bless you and the work you do.

Cheers,
Ryan
californiastreet
Active Member
 
Posts: 11
Joined: January 20th, 2010, 6:08 pm
Top

Re: Search being redirected to ad sites

Unread postby Carolyn » February 10th, 2010, 8:54 am

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine
Top
Advertisement
Register to Remove
Previous
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: pgmigg and 463 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index