Mfeed.in Redirect Returns

[dinosaur58]

Here's the log, Same results. I hope that means it's gone. Have to get up in 5 hrs and go to work, so signing off for now. Will check back before I leave for work. Thanks, D58

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 15:37 on 18/07/2010 by Administrator (Administrator - Elevation successful)

========== file ==========

c:\documents and settings\administrator\local settings\Temp\GNUAN.exe - Unable to find/read file.

-=End Of File=-

[ken545]

Lets try this



You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again


c:\documents and settings\administrator\local settings\Temp\GNUAN.exe

If the site is busy you can try this one

http://virusscan.jotti.org/en

[dinosaur58]

Made sure Folder settings are set to show ALL files as instructed. Opened every Temp folder in Documents and Settings, just to be sure. Could not find GNUAN.EXE . Off to work. Back in 9.5 hrs [not so bad really, includes drive time + 1 hr lunch]. D58

[ken545]

I am asking other helpers about this , generally exe files dont run out of a temp folder , be back in a bit

[ken545]

It appears its related to some sort of online game, like chess for instance, do you play online chess ?

[dinosaur58]

I don't play chess, and never played online. No idea when or how it appeared. D58

[dinosaur58]

Am currently running in Standard Boot Mode. No problems with SVCHOST or CSRSS. Unable to reproduce problem with audio, but that may have been caused by stopping SVCHOST process. No Google or other pop-ups/redirects. Am currently running a Kaspersky Online scan. D58

[ken545]

Thats nice to hear, it appears the file we have been looking at is ok, this is what its related to, how it got on your system I dont know
http://www.programmersheaven.com/dow...pFileList.aspx
http://www.gnu.org/software/chess/


Run this online scan to sweep for things we may have missed, if this comes back ok you will be good to go

Please run this free online virus scanner from ESET

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

[dinosaur58]

Did not check 'scan archives', did check: 'remove found threats' + 'scan for potentially unwanted applications'. 'Enable anti-stealth technology' is checked in default. Note: Country0, 2, and 3 are old renamed versions of Combofix, just as well to be rid of them.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=7b49d530c56b7747b13f9878c59ab660
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-19 08:37:34
# local_time=2010-07-19 02:37:34 (-0700, Mountain Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 46965452 46965452 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=1026 16777214 0 2 38494668 38494668 0 0
# compatibility_mode=1797 16775141 100 94 0 51276858 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=153712
# found=8
# cleaned=8
# scan_time=6312
C:\Documents and Settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\Country0.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\Country2.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\Country3.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Unlocker\eBay_shortcuts_1016.exe a variant of Win32/Adware.ADON application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Topaz Labs LLC\Topaz Moment PE\tltmpro35.dll probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{A08155B8-3425-4173-9474-2C7C1FC3A3D2}\RP333\A0023296.exe a variant of Win32/Adware.ADON application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{A08155B8-3425-4173-9474-2C7C1FC3A3D2}\RP333\A0023297.dll probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
E:\NeroDemo12550\Toolbar.exe Win32/Toolbar.AskSBar application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Way past sack time, even for a day off. Back in 8 hrs or so. D58

[ken545]

Looking good. If your happy the way things are running then lets clean up what we have done.

DDS <---Drag it to the trash

TFC <-- Yours to keep, run it now and then to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system

• Click START then RUN
• Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  
  
  • 
  
  
  
• When shown the disclaimer, Select "2"

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

Now to remove most of the tools that we have used in fixing your machine:

• Make sure you have an Internet Connection.
• Download OTC to your desktop and run it
• A list of tool components used in the cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
• Click Yes to begin the cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

• How did I get infected in the first place ?
  Read these links and find out how to prevent getting infected again.
• Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
• WhattheTech
• Grinler BleepingComputer
• GeeksTo Go
• Dslreports

Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

• Spybot Search and Destroy 1.6
  Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  
• Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  
• Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  
• IE-Spyad
  IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  
• Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Safe Surfn
Ken