Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 30

Thread: Web Pages Redirect

  1. #11
    Member
    Join Date
    May 2008
    Posts
    60

    Default

    Hi,

    Yesterday Malware Bytes detected three trojans and then I went back to search using Google and got redirected again. Later that evening I ran Malware Bytes again and it didn't detect anything (I go into greater detail in the link to the first thread I started yesterday). BUT late that night I checked quarantine and noted only two trojans there, I deleted them and when I created my initial thread I pasted it in for the Spybot team to analyze.

    What I'm getting at is that I don't know if the problem was cleared up PRIOR to my starting this thread or if the trojans are hidden somewhere. Anyway, I'm pasting in the Malware Bytes quick scan then I'll run the ESET Online Scanner and post those results when it's done running.

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.08.09.01

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Martin Family :: MARTINFAMILY-PC [administrator]

    8/8/2012 9:44:16 PM
    mbam-log-2012-08-08 (21-44-16).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 195123
    Time elapsed: 4 minute(s), 42 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

  2. #12
    Member
    Join Date
    May 2008
    Posts
    60

    Default

    I ran the ESET Online Scanner in Internet Explorer, it detected two threats but did not give the option of Listing the threats, instead it gave me a purchase option or 30 day free trial; therefore I don't have a log file. I did see (while it was running ) that trojans were detected.

    Should I run it again?

  3. #13
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Yes please run it again.

  4. #14
    Member
    Join Date
    May 2008
    Posts
    60

    Default

    Here is the ESET Online Scanner log file

  5. #15
    Member
    Join Date
    May 2008
    Posts
    60

    Default

    I'm pasting it in for you, too.


    C:\Users\Martin Family\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\13673cb0-55778b43 a variant of Java/TrojanDownloader.OpenStream.NCE trojan
    C:\Users\Martin Family\AppData\Roaming\Mozilla\Firefox\Profiles\lhdogrld.default\extensions\seazrxxgzk@seazrxxgzk.org.xpi JS/Redirector.NCA trojan

  6. #16
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi,

    Good job!!

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      ClearJavaCache::

      File::
      C:\Users\Martin Family\AppData\Roaming\Mozilla\Firefox\Profiles\lhdogrld.default\extensions\seazrxxgzk@seazrxxgzk.org.xpi
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------

    In your next reply please post the new ComboFix log and let me know how your system is running.

  7. #17
    Member
    Join Date
    May 2008
    Posts
    60

    Default

    Hello,

    I've pasted the text into the Notepad code box, but I don't have the option of saving it to my desk top. I saved the file as CFSccript.txt and changed "Save as type" to "All files" but when attempting to save, it only provides document as an option NOT desktop.

    Please advise.

    Quote Originally Posted by jeffce View Post
    Hi,

    Good job!!

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------

    In your next reply please post the new ComboFix log and let me know how your system is running.

  8. #18
    Member
    Join Date
    May 2008
    Posts
    60

    Default Problems With Combo Fix

    I dragged CFScript to ComboxFix BUT when I attempted to run it, I was told that I couldn't save it under a comboxfix name and to rename the file. But when I made a second attempt, I was able to start ComboFix. Thank you for helping me with this problem. I'm now posting the log file:

    ComboFix 12-08-09.01 - Martin Family 08/09/2012 18:51:41.2.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1634 [GMT -5:00]
    Running from: c:\users\Martin Family\Desktop\ComboFix.exe
    Command switches used :: c:\users\Martin Family\Desktop\CFScript.txt
    AV: AVG Internet Security 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    FW: AVG Internet Security 2012 *Disabled* {621CC794-9486-F902-D092-0484E8EA828B}
    SP: AVG Internet Security 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\users\Martin Family\AppData\Roaming\Mozilla\Firefox\Profiles\lhdogrld.default\extensions\seazrxxgzk@seazrxxgzk.org.xpi"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Martin Family\AppData\Roaming\Mozilla\Firefox\Profiles\lhdogrld.default\extensions\seazrxxgzk@seazrxxgzk.org.xpi
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-09 to 2012-08-09 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-09 23:59 . 2012-08-09 23:59 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2012-08-09 23:59 . 2012-08-09 23:59 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-08-09 13:49 . 2012-08-09 13:49 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{16D7E025-F159-4AF0-B9CE-2F7CA0C87A50}\offreg.dll
    2012-08-09 13:45 . 2012-07-16 07:41 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{16D7E025-F159-4AF0-B9CE-2F7CA0C87A50}\mpengine.dll
    2012-08-09 02:58 . 2012-08-09 02:58 -------- d-----w- c:\program files\ESET
    2012-08-08 11:52 . 2012-08-09 01:27 -------- d-----w- c:\program files\ERUNT
    2012-08-08 01:20 . 2012-08-08 01:20 -------- d-----w- c:\programdata\Kaspersky Lab
    2012-07-17 14:03 . 2012-07-17 14:03 -------- d-----w- C:\AVG2012
    2012-07-16 19:50 . 2012-07-16 19:50 -------- d-----w- c:\program files\AVG Secure Search
    2012-07-12 13:59 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
    2012-07-11 17:58 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2012-07-11 17:58 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2012-07-11 17:58 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2012-07-11 17:58 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-07-11 17:58 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-07-11 17:58 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-03 01:46 . 2012-04-04 11:49 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-08-03 01:46 . 2011-05-17 14:22 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-03 18:46 . 2009-07-10 23:50 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-20 13:03 . 2010-06-24 17:33 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2012-06-02 22:19 . 2012-06-21 13:13 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 13:13 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 13:12 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 13:12 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-21 13:12 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-21 13:13 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-21 13:12 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 20:19 . 2012-06-21 13:12 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 20:12 . 2012-06-21 13:12 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-05-31 17:25 . 2009-10-03 12:05 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-05-20 14:27 . 2012-05-20 14:27 677136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2012-07-18 04:53 . 2012-02-13 13:35 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
    2011-10-21 09:10 87440 ----a-w- c:\program files\adawaretb\adawareDx.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    2012-07-16 19:50 2074208 ----a-w- c:\program files\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-10-21 87440]
    "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll" [2012-07-16 2074208]
    .
    [HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
    .
    [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-10-17 972080]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
    "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-10 39408]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-07-05 2424192]
    "AROReminder"="c:\program files\ARO 2011\ARO.exe" [2011-01-25 2312048]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-27 13539872]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-27 92704]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
    "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
    "UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
    "UpdatePSTShortCut"="c:\program files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2008-09-11 210216]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]
    "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-07-03 973488]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "IconixOEAddOn"="c:\program files\Iconix\OEAddOn\OEdmn_6.exe" [2012-03-21 343392]
    "AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
    "vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-07-16 1107552]
    .
    c:\users\Martin Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    PictureMover.lnk - c:\program files\PictureMover\Bin\PictureMover.exe [2008-9-8 430080]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-09 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 01:46]
    .
    2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 18:57]
    .
    2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 18:57]
    .
    2012-08-05 c:\windows\Tasks\PCDRScheduledMaintenance.job
    - c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2008-09-10 14:43]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.aol.com/
    uDefault_Search_URL = hxxp://www.google.com/ie
    mStart Page = hxxp://www.yahoo.com
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
    FF - ProfilePath - c:\users\Martin Family\AppData\Roaming\Mozilla\Firefox\Profiles\lhdogrld.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=WLETDF&PC=WLEM&q=
    FF - prefs.js: browser.startup.homepage - hxxp://www.duckduckgo.com/
    FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bb4e5add5-6007-493c-b3eb-a497bd2834d0%7D&mid=46128029ee8747d097a7d16c5707ed62-a191216ca99fa9b2aa327703be8d3ca57ae4a29a&ds=AVG&v=11.1.0.12&lang=en&pr=pr&d=2012-06-17%2008%3A06%3A21&sap=ku&q=
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-08-09 18:59
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
    "ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2012-08-09 19:01:02
    ComboFix-quarantined-files.txt 2012-08-10 00:01
    ComboFix2.txt 2012-08-09 01:18
    .
    Pre-Run: 157,223,268,352 bytes free
    Post-Run: 156,705,402,880 bytes free
    .
    - - End Of File - - 8DF12F5247F60DA7D03A98E2479A9C12

  9. #19
    Member
    Join Date
    May 2008
    Posts
    60

    Default

    The system seems to be okay, but I haven't done any significant web searches. Right now I'm using duck duck go and used it to find yahoo to sign into my email.

  10. #20
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Go ahead and use your system as you normally would and see how it is bahaving.

    Download Security Check by screen317 from here or here.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt
    • Please post the contents of that document.

    ----------

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •