Google redirects...found malware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by noob_saibot, Jun 8, 2009.

  1. noob_saibot

    noob_saibot Private E-2

    first of all hello.

    I have been using major geeks for a while but only now have i had the embarrassing shame of being infected by rootkits and malware so heinous that i had to use mgtools, mab, ccCleaner, combofix, and SAS. I have run the programs, and they all eventually worked. Here is my recollection of what happened.

    As far as how the malware got downloaded, no idea. But when i kept being redirected from google links (able to visit pages on back then clicking again) I thought I had some nasties so i ran my antivir prog and came up with 18 viruses and other nasties! (ouch). not two weeks ago i had scanned my system and it was clear, so i figure some unsecure webpage or other hands were involved (single computer household). I found a similar situation on these forums and ran the requested diag. and removal tools. First i installed and ran SAS (had to rename to run) and it discovered the 3 nasties leftover from my ad-aware, ccCleaner, and antivir didnt catch. I tried running mab and it would not load. so i skipped it and went on to combofix. Combofix worked beautifully and after the reboot (2 reboots at this point) i could run mab. Unfortunately, nothing was found after combofix got its hands on my drivers. I ran mgtools as a precaution and all it seemed to do was add its own registry and put hjt on my comp. anyway i think i'm done, but you guys are the experts so here are my logs. :)

    Thanks in advance.
     

    Attached Files:

    noob_saibot, Jun 8, 2009
    #1
  2. noob_saibot

    noob_saibot Private E-2

    one more thing. After i cleaned my comp and was able to use internet regularly and update all my progs, i noticed a new internet connection (intartubes!) was created on my wireless utility. i have since deleted the connection and it came back? I run a standard netgear wireless g router with a belkin g usb wireless adapter and use the belkin utility cuz otherwise the internet wont work. any ideas on this? should i get better protection progs?
     
    noob_saibot, Jun 10, 2009
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not sure what this is but it does not appear to be malware. You are fairly clean after running the READ & RUN ME but we do have a little more to do.

    Uninstall the below old versions of software:
    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 11

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    After clicking Fix, exit HJT.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment
    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jun 12, 2009
    #3
  4. noob_saibot

    noob_saibot Private E-2

    ok thx

    ran hjt and combofix as requested.

    ran combofix twice so log may be incomplete but all tmp and reg files from the script were indeed removed

    *new issue*
    now when i boot i get a windows prompt to find a prog to run svchost.exe.vir
    have choice to select prog from comp or use web to find

    thank you for taking time to help me
    here are my logs
     

    Attached Files:

    noob_saibot, Jun 13, 2009
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Do you know if the below file is valid? I would not expect an EXE file to be located here.
    c:\documents and settings\Erin Rogers\Application Data\Convivea\Bit_Che\scripts\x.exe

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - Startup: svchost.lnk = C:\Qoobox\Quarantine\C\WINDOWS\system\svchost.exe.vir
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    After clicking Fix, exit HJT.



    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



    Then attach the below log:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jun 16, 2009
    #5
  6. noob_saibot

    noob_saibot Private E-2

    okay... i ran my antivirus after i posted and it picked up the .vir as a gen trojan. so needless to say i ran cCleaner and its gone. i've got one more question, for my own benefit.

    found a repeating instance in hjt and wondered if it did anything.
    o10 - unknown file in Winsock LSP: bmnet.dll

    it repeats four times in the scan. didn't know if it would cause me probs. my biggest fear is another rootkit or malware allowing someone to hijack my internet again. (btw still have the intartubes! connection in my preferred connections list no matter how often i delete it. yes, it is an unsecure network.)

    Your help has not only fixed my problems but I now have a faster computer! thanx much. for further insight to my machine i'll list some specs for you.

    Dell Dimension E310
    1.0 gb ram
    pentium 4 2.8 ghz

    windows xp media center 2002 ed. sp3

    Avir Antivirus
    Ad Aware Anniversary Ed. with ad watch
    SAS
    Malwarebytes 3.7
    CCleaner

    Again thanks much. I dont know why you do it but i'm glad you do.
     

    Attached Files:

    Last edited: Jun 16, 2009
    noob_saibot, Jun 16, 2009
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    It is for the Bytemobile Optimization Client software you have installed. Possibly you use this with your Blackberry or something else from Sprint.

    We don't need them. The logs from MGtools contain all of this and much more. ;)

    Your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    5. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Jun 19, 2009
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds