Partner37 Redirect (At Least One Browser)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by JackTheTripper1, May 27, 2012.

  1. JackTheTripper1

    JackTheTripper1 Private E-2

    A while back (perhaps three weeks ago or so), I started having troubles with my internet connection. My browsers, all of them, would suddenly start throwing DNS errors at me when I tried to load anything at all, and I'd have to either restart my computer, connect to my router via an ethernet cord, or use my USB wireless adapter in order to access the internet. I suspect that from the solutions I found, this was a mere hardware/software issue.

    It was around that same time that another issue popped up. When I would surf the internet, sometimes I could not load the pages I'd want to, and I'd be instead prompted to an odd search-engine type website calling itself 'partner37.mydomain...' What with all the trouble going on with my internet connection, I unfortunately didn't immediately realize something was wrong. Especially since it affected multiple browsers of mine. It wasn't until I was using my USB adapter constantly to assure an internet connection and it popped up once more, that I realized, 'Oh heck, this is probably a virus.'

    So I frantically searched the internet in an attempt to fix the issue, and found this place. I went through the redirection malware guide and the basic malware guide, and despite one oddity (Root Repeal doesn't seem to want to work on my netbook) everything seemed fine. SuperAntiSpyware and MalwareBytes gave my computer a clean bill of health. Combofix and MGTools worked fine. So I figured I'd give it some time, see if what I'd tried had dealt with the issue.

    But then today the redirect popped up back again in Opera (currently running Chome to access MajorGeeks).

    I don't really remember what I was doing when the issue first popped up. I don't have logs from SuperAntiSpyware or RootRepeal, as the first found nothing (and thus did not create a log, to my knowledge), and RootRepeal crashed every time it started to load on my computer.
     

    Attached Files:

  2. thisisu

    thisisu Malware Consultant

    Welcome to MajorGeeks, JackTheTripper1 :)

    [​IMG] From Programs and Features (via Control Panel), please uninstall the below and keep them uninstalled at least until we are finished with removing malware:
    • AVG 2012
    • Babylon toolbar on IE
    • Spam Free Search Bar
    • Yontoo 1.10.02

    [​IMG] Please download and run AVG Remover

    [​IMG] Fixing items using ComboFix
    Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
    If it is not on your desktop, the below will not work.
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]ClearJavaCache::[/COLOR]
    [COLOR="DarkRed"]DDS::[/COLOR]
    uStart Page = hxxp://blekko.com?source=c3348dd4&tbp=homepage&toolbarid=blekkotb&u=201203299BB94222B3816B3AE3BCDE49
    IE: {{68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\AVG\AVG2012\avgdtiex.dll
    [COLOR="DarkRed"]DirLook::[/COLOR]
    c:\program files\Security Task Manager
    [COLOR="DarkRed"]Driver::[/COLOR]
    avgwd
    [COLOR="DarkRed"]FireFox::[/COLOR]
    FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\eat21ydk.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=18556
    FF - prefs.js: browser.search.selectedEngine - Blekko
    FF - prefs.js: browser.startup.homepage - hxxps://blekko.com/
    FF - prefs.js: keyword.URL - hxxp://blekko.com/?source=c3348dd4&tbp=url&toolbarid=blekkotb&u=___userid___&q=
    FF - user.js: extentions.y2layers.installId - 256d5534-c9a3-4e18-b099-6ff266f7e80b
    FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,Buzzdock,
    FF - user.js: extensions.autoDisableScopes - 14
    FF - user.js: security.csp.enable - false
    [COLOR="DarkRed"]File::[/COLOR]
    C:\Program Files\Mozilla Firefox\searchplugins\blekkotb.xml
    C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
    C:\Users\James\Desktop\dwuvlspwteidota6vjb7ra2.gif
    C:\Users\James\Desktop\MGtools.exe
    [COLOR="DarkRed"]Folder::[/COLOR]
    c:\program files\Yontoo
    C:\Program Files\AVG
    C:\Users\James\AppData\Local\blekkotb
    C:\Program Files\blekkotb
    C:\$AVG
    C:\Users\James\AppData\Local\{077C2C2D-F774-47B8-8A93-BD6F9CC965E2}
    C:\Users\James\AppData\Local\{08B4AE28-FFE8-4F61-BFAC-DF5D83AB8800}
    C:\Users\James\AppData\Local\{0EDC86BC-3A21-4D4F-91D2-DFF5342AEEDE}
    C:\Users\James\AppData\Local\{0FAF3848-2359-4140-872C-A4B17578875F}
    C:\Users\James\AppData\Local\{1069ABE0-F583-46A7-A99A-EDAF80228593}
    C:\Users\James\AppData\Local\{125A2C3C-8169-4CB2-B144-7B9C7181F794}
    C:\Users\James\AppData\Local\{130805BC-4804-427B-B309-FC93363C412E}
    C:\Users\James\AppData\Local\{13E5884E-2A0F-40BB-820C-1678C8162548}
    C:\Users\James\AppData\Local\{156822F5-C099-428D-844F-AD4359CF558F}
    C:\Users\James\AppData\Local\{188E985D-1CCD-4336-A3DC-27EA154DEAC2}
    C:\Users\James\AppData\Local\{2118AF1C-9A18-45B9-B564-2957301632FA}
    C:\Users\James\AppData\Local\{228C4A71-A6E5-4207-A1C4-B9C624EFE39F}
    C:\Users\James\AppData\Local\{23097E24-51FE-468D-8DD6-98D962985F4B}
    C:\Users\James\AppData\Local\{26597DBF-1054-4E3A-9923-25A5207DBB7B}
    C:\Users\James\AppData\Local\{279DFE0C-0695-4EC1-B29C-75E3A9932633}
    C:\Users\James\AppData\Local\{32E546C2-8C79-46C8-A3EF-96FEEAC1F557}
    C:\Users\James\AppData\Local\{3363625A-875C-4D21-9870-79B1F3BD006A}
    C:\Users\James\AppData\Local\{3426A398-22A0-4B88-B3B7-37C4A5E3DE3E}
    C:\Users\James\AppData\Local\{3448A6C3-88DF-4AA7-86F4-7C73FC137F37}
    C:\Users\James\AppData\Local\{392C9BC8-3C7C-4FB0-B2CA-B86CDF923AEB}
    C:\Users\James\AppData\Local\{39A1A20F-EA2A-47A3-B852-F7E7164699C5}
    C:\Users\James\AppData\Local\{3A6DBFD9-E8CE-4AF4-905B-BA9FDD86AF4B}
    C:\Users\James\AppData\Local\{412DCA21-DDCE-4F1E-9B4D-EDCEEACD4C2C}
    C:\Users\James\AppData\Local\{42D51B39-F1A6-4DF2-AA73-76B76D104081}
    C:\Users\James\AppData\Local\{468761D5-9086-48D7-945E-F9B2286C2D31}
    C:\Users\James\AppData\Local\{4C282A8A-7016-4398-97B0-45A6143403DA}
    C:\Users\James\AppData\Local\{50272200-213A-49E5-94CF-307833671163}
    C:\Users\James\AppData\Local\{512B64C7-46F4-4378-A3EF-EADABEE0D5F2}
    C:\Users\James\AppData\Local\{551DF265-E205-4EA3-98BB-3593E845CE9F}
    C:\Users\James\AppData\Local\{560F686E-9FEB-4EB0-AE72-F45B028192D1}
    C:\Users\James\AppData\Local\{5E3B7A89-1F71-4503-84C6-1223EB5D0181}
    C:\Users\James\AppData\Local\{5FA56AE0-3682-467C-A022-CBB07B6605EC}
    C:\Users\James\AppData\Local\{648ED78D-C3E8-4546-AF4D-FE3DCEB56815}
    C:\Users\James\AppData\Local\{6A441F86-A930-499F-9D17-F8AF08C60F13}
    C:\Users\James\AppData\Local\{6B4204F2-78C2-4DAA-80AA-21BD0E674AF1}
    C:\Users\James\AppData\Local\{6E120061-74B4-4FDA-A0F9-E3BADA0E5A99}
    C:\Users\James\AppData\Local\{701F81FA-BCB6-41E3-AF5C-4C99AA19E4BC}
    C:\Users\James\AppData\Local\{74F6EE9D-9BBB-49B3-8A30-974A7C828F83}
    C:\Users\James\AppData\Local\{750EA632-46A3-4247-8B88-186655EF2EC2}
    C:\Users\James\AppData\Local\{762A019E-7FA7-4CF9-946D-F78C4EAD912C}
    C:\Users\James\AppData\Local\{76CA5D18-82F5-4B7A-B2C9-4D7935D241F9}
    C:\Users\James\AppData\Local\{7837A6A6-9B23-46C2-A04E-94B0702BE545}
    C:\Users\James\AppData\Local\{7D854B72-8EE0-4E30-B647-19F752FA61DB}
    C:\Users\James\AppData\Local\{7E11EC41-7624-408D-8502-2B2B9F03CD41}
    C:\Users\James\AppData\Local\{81E901EE-F221-4B3F-8983-21EB69BE3DE6}
    C:\Users\James\AppData\Local\{8284B386-E4F9-4C6E-8A72-FD67B4994CCB}
    C:\Users\James\AppData\Local\{8A9274F6-588B-4732-8E73-8E28DE5C0BF9}
    C:\Users\James\AppData\Local\{8EE82189-1F13-4D04-AFF5-54F856F6E28C}
    C:\Users\James\AppData\Local\{8F6A872F-2DE5-4BAE-A486-8FF7941C5826}
    C:\Users\James\AppData\Local\{90473E0A-0443-4131-A2C4-BBAB6BE32E2A}
    C:\Users\James\AppData\Local\{91194636-232C-46D1-8517-A42F37695F70}
    C:\Users\James\AppData\Local\{976B5253-0C7A-4D0A-84F6-3A5EA2180737}
    C:\Users\James\AppData\Local\{9901BBFD-5B18-4A0F-BE85-824D6B012220}
    C:\Users\James\AppData\Local\{99424FAB-1F89-4A38-B824-121EEF74AD99}
    C:\Users\James\AppData\Local\{9DADAB7E-09B5-4C85-98BB-0C5D7E0E5DD7}
    C:\Users\James\AppData\Local\{9E82079D-539F-4E2A-9217-70DDC14AC2FB}
    C:\Users\James\AppData\Local\{9F13B984-ABA0-404C-AA45-8316EB781B40}
    C:\Users\James\AppData\Local\{9F5F5B34-C21E-477F-B6FA-072C84E0DE70}
    C:\Users\James\AppData\Local\{A23D96C5-3A4C-47F9-96FE-E04507525D6E}
    C:\Users\James\AppData\Local\{A8EC978E-1097-4C41-87B5-06ED37304627}
    C:\Users\James\AppData\Local\{AB7270A4-E4C1-4564-8E5C-F51FED2C41A4}
    C:\Users\James\AppData\Local\{BB2AE31E-E1D7-4274-AD39-A023A1313C01}
    C:\Users\James\AppData\Local\{BC2172AF-EEC7-4404-AB1D-5B69CE4804A1}
    C:\Users\James\AppData\Local\{C1AFB0D2-2C4C-4803-99A5-2434CCB9C059}
    C:\Users\James\AppData\Local\{C21FCACF-34C6-459E-96AD-022DC70F6A08}
    C:\Users\James\AppData\Local\{C992A3EA-6815-4829-A9F8-19193C5A0A05}
    C:\Users\James\AppData\Local\{CF233B73-AC36-4E3B-BE70-FCD78757A3D4}
    C:\Users\James\AppData\Local\{D497477F-4162-4EB3-A28F-347C94B6FFB0}
    C:\Users\James\AppData\Local\{D4EB11C9-18DA-4E2D-B7EE-59C3A37A609A}
    C:\Users\James\AppData\Local\{D679B847-AA14-496B-B1EC-4F36358DBAEE}
    C:\Users\James\AppData\Local\{D9E27D9A-4B86-4F9A-A6EE-E1E1ACDAB2A0}
    C:\Users\James\AppData\Local\{E0FAB4F6-7CDE-4A6F-B590-7E6D4E1E5395}
    C:\Users\James\AppData\Local\{EAE9DABF-5DE4-47A5-A45C-D3470430B4E1}
    C:\Users\James\AppData\Local\{F1A729E2-E398-4747-AF57-89FD61D2A880}
    C:\Users\James\AppData\Local\{F6AB7E0C-3C4E-4BBA-89B3-0B1B6C06FEBF}
    C:\Users\James\AppData\Local\{FC521375-CDCA-4F2D-B72B-9AA4CB78AC3F}
    C:\Users\James\AppData\Local\{FF01D794-BFE2-48B4-A750-D7BA15D2079B}
    c:\program files\blekkotb
    c:\programdata\Anti-phishing Domain Advisor
    [COLOR="DarkRed"]Registry::[/COLOR]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{26c9e18c-3717-4be1-a225-04e4471f5b6e}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31332EEF-CB9F-458F-AFEB-D30E9A66B6BA}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AVG_TRAY"=-
    "Anti-phishing Domain Advisor"=-
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20a0be68-8fd9-4539-8712-ce3d1c1fdfc6}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26c9e18c-3717-4be1-a225-04e4471f5b6e}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{26c9e18c-3717-4be1-a225-04e4471f5b6e}"=-
    [-HKEY_CLASSES_ROOT\clsid\{26c9e18c-3717-4be1-a225-04e4471f5b6e}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
    "{1E73965B-8B48-48be-9C8D-68B920ABC1C4}"=-
    "{F53C93F1-07D5-430c-86D4-C9531B27DFAF}"=-
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
    "BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00
    [COLOR="DarkRed"]SecCenter::[/COLOR]
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Outdated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2012 *Disabled/Outdated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    
    Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
    Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
    [​IMG]
    This will launch ComboFix.
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Allow ComboFix to update itself if prompted.
    When ComboFix finishes, a log will be produced at C:\ComboFix.txt
    Attach this log to your next message. (How to attach)

    [​IMG] Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

    Let me know how the system is running after you have completed these steps.
     
  3. JackTheTripper1

    JackTheTripper1 Private E-2

    Ran both programs, then immediately opened up Opera to check... Immediate redirect.

    Combofix updated before scanning, and while I'm pretty sure I clicked Close in the MGlogs program when a process ceased functioning during it, I may have clicked Cancel. Almost positive I clicked Close, though I feel the need to bring that up that possibility considering I'm still getting the redirect.
     

    Attached Files:

  4. thisisu

    thisisu Malware Consultant

    We may have to uninstall Opera and reinstall it as I do not believe it is supported by any of our tools.
    It looks like there is still a problem with IE though, so do this scan:

    [​IMG] Please download OTL by OldTimer.

    • Save it to your desktop.
    • Right mouse click on the OTL icon on your desktop and select Run as Administrator
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      activex
      netsvcs
      
    • Now click the [​IMG] button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
     
  5. JackTheTripper1

    JackTheTripper1 Private E-2

    Deleted Opera through the Control Panel. Is that sufficient to clear that particular browser out before reinstallation, or is there more to do on that front?

    Ran OTL. It spat out two logs, so I'll throw them both in.
     

    Attached Files:

  6. thisisu

    thisisu Malware Consultant

    [​IMG] From Programs and Features (via Control Panel), please uninstall the below:
    • Security Task Manager 1.8d
    • Yontoo 1.10.02

    Leave it uninstalled until you finish the below step.

    [​IMG] Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    [COLOR="DarkRed"]:otl[/COLOR]
    DRV - File not found [Kernel | On_Demand | Unknown] -- C:\Users\James\AppData\Local\Temp\mbr.sys -- (mbr)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\James\AppData\Local\Temp\catchme.sys -- (catchme)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\avgidsshimx.sys -- (AVGIDSShim)
    DRV - File not found [Kernel | Boot | Stopped] -- system32\DRIVERS\avgidshx.sys -- (AVGIDSHX)
    DRV - [2012/05/26 21:02:43 | 000,034,816 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\repealerofroots.sys -- (repealerofroots)
    IE - HKU\S-1-5-21-416316350-3595011630-1666308196-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&babsrc=SP_def&AF=18556
    IE - HKU\S-1-5-21-416316350-3595011630-1666308196-1000\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://blekko.com/?source=c3348dd4&tbp=rbox&toolbarid=blekkotb&u=201203299BB94222B3816B3AE3BCDE49&q={searchTerms}
    IE - HKU\S-1-5-21-416316350-3595011630-1666308196-1000\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={8E1213CB-4B79-4FDC-93F6-9BFE4BA30D0D}&mid=cae82e3c85fc47d18231cd3c4e616728-b8ff5b388627ac0233287c0d552780e94959496b&lang=en&ds=AVG&pr=fr&d=2012-05-26 22:42:43&v=11.0.0.9&sap=dsp&q={searchTerms}
    IE - HKU\S-1-5-21-416316350-3595011630-1666308196-1000\..\SearchScopes\{EABEFFA1-2DC6-4850-B2D8-46EBA5C8ABB3}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=WBG&o=15136&src=crm&q={searchTerms}&locale=&apn_ptnrs=RS&apn_dtid=YYYYYYYYUS&apn_uid=E9E00F9F-4956-41FC-82F9-822128AAC96F&apn_sauid=865B95FF-465F-4703-9DC3-53997B84A9DC
    FF - prefs.js..browser.search.defaultengine: "Ask.com"
    FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
    [2012/02/23 12:16:09 | 000,000,000 | ---D | M] (Babylon) -- C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\eat21ydk.default\extensions\ffxtlbr@babylon.com
    [2012/05/25 22:23:39 | 000,000,000 | ---D | M] (Yontoo) -- C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\eat21ydk.default\extensions\plugin@yontoo.com
    [2012/04/09 23:49:39 | 000,002,572 | ---- | M] () -- C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\eat21ydk.default\searchplugins\askcom.xml
    File not found (No name found) -- C:\PROGRAM FILES\AVG\AVG2012\FIREFOX\DONOTTRACK
    File not found (No name found) -- C:\PROGRAMDATA\AVG SECURE SEARCH\11.0.0.9
    [2012/01/13 14:52:55 | 000,002,226 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
    CHR - default_search_provider: AVG Secure Search (Enabled)
    CHR - default_search_provider: search_url = http://isearch.avg.com/search?cid={8E1213CB-4B79-4FDC-93F6-9BFE4BA30D0D}&mid=cae82e3c85fc47d18231cd3c4e616728-b8ff5b388627ac0233287c0d552780e94959496b&lang=en&ds=AVG&pr=fr&d=2012-05-26 22:42:43&v=11.0.0.9&sap=dsp&q={searchTerms}
    CHR - plugin: AVG Internet Security (Enabled) = C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.2161_0\plugins/avgnpss.dll
    CHR - plugin: AVG SiteSafety plugin (Enabled) = C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\11.0.2\\npsitesafety.dll
    O9 - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files\AVG\AVG2012\avgdtiex.dll File not found
    [2012/05/27 18:50:18 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Local\{43534B4D-BA34-4946-B192-FC0B9C5DC107}
    [2012/05/27 18:49:49 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Local\{250A9D3F-C470-40C1-833C-ED3E4B672432}
    [2012/05/27 18:35:14 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Local\{8E391187-7580-4D38-A55C-CFF71930A774}
    [2012/05/27 18:34:50 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Local\{C44A6BB0-DDAA-4482-BCF7-B22123C83E6A}
    [2012/05/26 21:50:23 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Local\{3D52300F-9B15-415F-ADDC-D53B38C82975}
    [2012/05/26 21:49:59 | 000,000,000 | ---D | C] -- C:\Users\James\AppData\Local\{EA01B644-7308-47EE-8CBF-4406106C1B00}
    [2012/05/26 19:31:22 | 001,973,368 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Users\James\Desktop\avg_remover_stf_x86_2012_2125.exe
    [2012/05/25 22:23:45 | 000,000,000 | ---D | C] -- C:\ProgramData\SecTaskMan
    [2012/05/25 22:23:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security Task Manager
    [2012/05/25 22:23:31 | 000,000,000 | ---D | C] -- C:\Program Files\Security Task Manager
    [2012/05/26 21:02:43 | 000,034,816 | ---- | M] () -- C:\Windows\System32\drivers\repealerofroots.sys
    [2012/05/26 21:01:16 | 000,472,064 | ---- | M] ( ) -- C:\Users\James\Desktop\RootRepeal.exe
    [2012/05/26 19:34:59 | 000,465,298 | ---- | M] () -- C:\Users\James\Desktop\RootRepeal.rar
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
    [COLOR="DarkRed"]:files[/COLOR]
    netsh winsock reset /c
    [COLOR="DarkRed"]:reg[/COLOR]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{EABEFFA1-2DC6-4850-B2D8-46EBA5C8ABB3}]
    [COLOR="DarkRed"]:commands[/COLOR]
    [purity]
    [clearallrestorepoints]
    [emptytemp]
    [resethosts]
    
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)

    Now reinstall Opera and test for redirects in all browsers.
     
  7. JackTheTripper1

    JackTheTripper1 Private E-2

    Fix ran. Log attached. Installed Opera. Checked all browsers, using Google and a site I go to frequently that triggered the redirection in Opera (with Google being the second most redirected site). In Firefox, Opera, Chrome, and IE, I did not get any redirects at all, and those are the only browsers I've ever installed and/or used on this netbook.
     

    Attached Files:

  8. thisisu

    thisisu Malware Consultant

    Glad to hear it :)

    __

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis if it present
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work through the below link:
    Be safe :)
     
  9. JackTheTripper1

    JackTheTripper1 Private E-2

    I copied the code into Run, and ran it, yet I still see ComboFix.exe on my desktop. Is that normal?
    Disregard that, it just took a bit longer than I expected to uninstall.

    Oh, I also have a bit of a serious question: near the beginning of this infection, when I still didn't realize that it wasn't just part of my connectivity troubles, I accessed some sensitive personal information online as part of some school loan payments and such. In any case, I plan on changing all my passwords now that my computer is (hopefully) clean, but should I be concerned that someone may have stuff like my social security number? I'm not entirely sure what the logs showed; was there anything on my system that could have let someone steal it?
     
  10. thisisu

    thisisu Malware Consultant

    According to your logs, no. But changing the passwords is a good idea to be on the safe side.
     
  11. JackTheTripper1

    JackTheTripper1 Private E-2

    Oh thank God, that is a huge load off of my mind.

    Thank you so much for your help; I really appreciate the guidance. I know that's what you all are here for, but it's still quite awesome that you all are doing this free of charge... And in a surprisingly easy to follow and timely manner; I didn't expect this issue to be resolved even half as quickly and easily as it was. You guys rock.

    Now hopefully I don't end up catching anything again. Blargh. Definitely gonna be more careful around the web now.
     
  12. thisisu

    thisisu Malware Consultant

    You're welcome. Thank you for the compliment :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds