Toseeka, FindStuff, CouponMountain

Discussion in 'Malware Help (A Specialist Will Reply)' started by jhoylman, Feb 3, 2009.

  1. jhoylman

    jhoylman Private E-2

    Hello all,

    I have been bitten by Malware and can not seem to get rid of it...please help! :)

    Sometimes my search results are redirected. Some of the redirected sites include, but are not limited to:
    http://216.195.52.100/
    http://www.couponmountain.com
    http://searchexplorer.com
    http://toseeka.com
    http://findstuff.com

    I went thought the READ AND RUN ME FIRST section of the forum. A few things were found and removed, but I am still having issues. I have attached my logs to this post and the next...
     

    Attached Files:

    jhoylman, Feb 3, 2009
    #1
  2. jhoylman

    jhoylman Private E-2

    SAS Log File...

    Thank you,
    Jared
     

    Attached Files:

    jhoylman, Feb 3, 2009
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Somehing did not work quite right with MGtools. One of the logs named newfiles.txt in the MGlogs.zip file is incomplete. Please do the below.

    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>

    ShowNew <-- this will try to run all another scan from ShowNew.bat Tell me what error messages, if any, you see. You can just close the notepad window that pops up with the newfiles.txt log in it.


    Now attach the new C:\MGlogs.zip file which will have a new log added to it.
     
    chaslang, Feb 3, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also do you know what the below are that showed up on 1/19/2009? Did you install or update any hardware? It this when your problems began?
    Code:
    2009-01-19 10:49 . 2009-01-19 10:49 <DIR>   c:\program files\Common Files\CAD
2009-01-19 10:46 . 2009-01-19 10:46 79,742  C:\splkInstall_6.1.3.3.dbg
2009-01-19 10:46 . 2009-01-19 10:41 407     C:\splkInstall_Obj_6.1.3.3.dbg
2009-01-19 10:41 . 2009-01-19 10:46 <DIR>   C:\Temp
2009-01-19 10:13 . 2002-11-25 16:05 111,486 c:\windows\SYSTEM32\DRIVERS\Cp215.sys
2009-01-19 10:13 . 2001-12-05 16:18 76,136  c:\windows\SYSTEM32\DRIVERS\Mp910.sys
     
    chaslang, Feb 3, 2009
    #4
  5. jhoylman

    jhoylman Private E-2

    New MGLogs.zip file is attached.

    cp215.sys and mp910.sys I recognize. They are drivers for a program I use at work.

    The splk* files were created when my company did an update for our IP phone system on 1/19.

    The "c:\program files\Common Files\CAD" I am not sure of...

    The problem has only been happening for the past two or three days.

    Thanks,

    Jared
     

    Attached Files:

    jhoylman, Feb 3, 2009
    #5
  6. jhoylman

    jhoylman Private E-2

    Forgot to mention...there were a few error lines that said "The system cn not execute the specified program."

    I've attached a screen shot of CMD window.

    Thanks,

    Jared
     

    Attached Files:

    jhoylman, Feb 3, 2009
    #6
  7. jhoylman

    jhoylman Private E-2

    Finally got it to work... had to delete the following lines out of ShowNew.bat

    Code:
    grep -v -U -E "Entries:|Directories:|Bytes:|0 1601-01-01"  %systemdrive%\MGtools\newfiles.txt > %systemdrive%\MGTools\temp\filter.txt
copy %systemdrive%\MGTools\temp\filter.txt  %systemdrive%\MGtools\newfiles.txt   >nul
    newfiles.txt is attached
     

    Attached Files:

    jhoylman, Feb 3, 2009
    #7
  8. jhoylman

    jhoylman Private E-2

    Google search results were redirecting to other search sites.
    Some google subdomains (mail.google.com and feedburner.google.com) came up as not found.

    I think I have this one fixed...

    I found this file:

    C:\Program Files\Common Files\System\famyqax_srp32.dll

    VirusTotal.com marked it as a potential problem:
    http://www.virustotal.com/analisis/b5005a306a275d4f5242544e92dcc812

    I renamed the file to:
    C:\Program Files\Common Files\System\famyqax_srp32.dl_

    And then went to:
    Start > Run > devmgmt.msc to open the Device Manager
    Clicked on View >Show Hidden Devices

    Found:
    famyqax_srp32

    Then right clicked > Disable

    I reboot and the redirection problem went away.

    Just to note, I ran SUPERAntiSpyware, Malware Bytes, Spybot S&D, ComboFix, Norton AV, Trend Micro House Call, and Kapersky. Nothing detected it.

    Is this a new variant?

    Also, let me know if there is anything else I need to do to clean my system.

    Thanks,

    Jared
     
    jhoylman, Feb 4, 2009
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    These are fixed in the new version of MGtools. This was a problem related to something within Windows that only occurs on some PCs. I found a work around and added it into MGtools.


    Now this does not make sense since we have tested this on probably more than 100 PCs by now and yours is the only one to have a problem with using grep at that point in the program. However it does not matter since the new version of MGtools has also has made changes that made those lines of code unnecessary.
     
    chaslang, Feb 7, 2009
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not true. Take a look at your first ComboFix log and you will see that it pointed out the below:
    Code:
    --- Other Services/Drivers In Memory ---
*Deregistered* - famyqax_srp
    Yes it is a new one. They come out everyday. ;)

    Is the below registry entry also something you or your company added?
    Your logs are looking clean other than what you just removed on your own; however I would appreciate it if you would download and run the new version of MGtools just to make sure it runs properly on your PC since something is a little different about your PC. You can get the new version here: MGtools.exe This link will work until the next update. So as long as you don't take to long to come back it will work. Otherwise you will need to download it from the link embedded here: Using MGtools

    After downloading and running this version, please attach the new C:\MGlogs.zip file.


    Are you still having any malware problems?
     
    Last edited: Feb 7, 2009
    chaslang, Feb 7, 2009
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds