TechSpot

Google and yahoo redirect - 8 step preliminary turn back no results

Solved
By mforgetable
Apr 4, 2010
  1. all of my search engines are redirecting to other sites. most of them declared unsafe. my computer has as well turned into pop up city! even when trying to post thread on this site. i have run the preliminaries and all come back with no harmful/suspicious entries. i am attatching logs as requested. not sure what to do? could somone please help me out? i have papers to write for my college courses and cant do the research do to this.
    please any recommendations would be greatly appreciated! thank you
     

    Attached Files:

  2. mforgetable

    mforgetable TS Rookie Topic Starter

    avira pop-up related to problems

    while browsing techspot, avira pop up ---> type: detection a virus or unwamted program, html/infected.webpage.gen' was found in file c:\Documents and Settings\...\2[1].php' access to file denied --> further action --> tick remove
    details of detection:
    c:\Documents and Settings\Network Service.NTAuthority\LocalSettings\TemporaryInternetFiles\Content.IE5\XW345125\2[1].php --- contains recognition pattern of the HTML/Infected web page.gen HTML script virus --> move to quarantine.

    i apply now to move to quarantine and it says:

    The file 'C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\XW345125\2[1].php'
    contained a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus]
    Action(s) taken:
    An error has occurred and the file was not deleted. ErrorID: 26004.
    The source file could not be found.
    Attempting to perform action using the ARK library.
    The file could not be copied to quarantine!
    The file does not exist!
    The file is scheduled for deleting after reboot.

    AND:

    Virus or unwanted program 'HTML/Infected.WebPage.Gen [virus]'
    detected in file 'C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\XW345125\2[1].php.
    Action performed: Allow access

    ALSO A FEW DAYS AGO I HAVE THESE THROUGH AVIRA AS WELL I BELIEVE I HAVE REMOVED THEM ALL PRIOR TO FINDING THIS FORUM HOWEVER:
    Virus or unwanted program 'TR/Drop.Softomat.AN [trojan]'
    detected in file 'C:\WINDOWS\system32\winooq32.dll.
    Action performed: Deny access

    AND:
    Virus or unwanted program 'BDS/WinO.A [backdoor]'
    detected in file 'C:\RECYCLER\S-1-5-21-73586283-1500820517-725345543-1003\Dc4.exe.
    Action performed: Deny access

    AND:
    The file 'C:\System Volume Information\_restore{BADC0BDB-F2F3-43AE-A84F-06E11468BFFE}\RP88\A0029637.exe'
    contained a virus or unwanted program 'TR/Agent.3244192' [trojan]
    Action(s) taken:
    The file was moved to the quarantine directory under the name '432c711c.qua'.

    AND:
    The file 'C:\Program Files\Games\Aveyond 4 - Gates of Night\Aveyond - Gates of Night.exe'
    contained a virus or unwanted program 'WORM/SdBot.61440.11' [worm]
    Action(s) taken:
    The file was moved to the quarantine directory under the name '6219388d.qua'.

    AND:
    The file 'C:\System Volume Information\_restore{BADC0BDB-F2F3-43AE-A84F-06E11468BFFE}\RP125\A0041952.exe'
    contained a virus or unwanted program 'TR/Spy.Gampass.CV' [trojan]
    Action(s) taken:
    The file was moved to the quarantine directory under the name '19f47883.qua'.

    AND:
    The file 'C:\games\3Stars\3Stars.exe'
    contained a virus or unwanted program 'BDS/Bot.94784' [backdoor]
    Action(s) taken:
    The file was moved to the quarantine directory under the name '561a2c27.qua'.

    AND:
    The file 'C:\Program Files\Aveyond 2\Uninstall.exe'
    contained a virus or unwanted program 'TR/Spy.Gampass.CV' [trojan]
    Action(s) taken:
    The file was moved to the quarantine directory under the name '4f4f17d8.qua'.

    AND:
    The file 'C:\System Volume Information\_restore{BADC0BDB-F2F3-43AE-A84F-06E11468BFFE}\RP137\A0043043.exe'
    contained a virus or unwanted program 'BDS/Bot.94784' [backdoor]
    Action(s) taken:
    The file was moved to the quarantine directory under the name '554c54c9.qua'.

    AND:
    The file 'C:\System Volume Information\_restore{BADC0BDB-F2F3-43AE-A84F-06E11468BFFE}\RP154\A0044410.dll'
    contained a virus or unwanted program 'TR/Drop.Softomat.AN' [trojan]
    Action(s) taken:
    The file was moved to the quarantine directory under the name '09e40454.qua'.

    AND:
    The file 'C:\System Volume Information\_restore{BADC0BDB-F2F3-43AE-A84F-06E11468BFFE}\RP154\A0044461.exe'
    contained a virus or unwanted program 'BDS/WinO.A' [backdoor]
    Action(s) taken:
    The file was moved to the quarantine directory under the name '5bbb5ebc.qua'.

    AND:
    The file 'C:\System Volume Information\_restore{BADC0BDB-F2F3-43AE-A84F-06E11468BFFE}\RP139\A0043097.exe'
    contained a virus or unwanted program 'BDS/Bot.94784' [backdoor]
    Action(s) taken:
    The file was moved to the quarantine directory under the name '2a5766a8.qua'.

    AND:
    The file 'C:\System Volume Information\_restore{BADC0BDB-F2F3-43AE-A84F-06E11468BFFE}\RP153\A0044407.dll'
    contained a virus or unwanted program 'TR/Drop.Softomat.AN' [trojan]
    Action(s) taken:
    The file was moved to the quarantine directory under the name '6fd34b96.qua'.

    SYSTEM RESTORE DOES NOT WORK SAYS IT CANT RESTORE TO ALL DATES I TRY. I HAVE DELETED ALL OF THE ABOVE DIRECTORIES AS WELL AS ANY GAMES ASSOCIATED WITH THEM. --> my cousin downloaded the games dont know where from though. seemed to be causing a problem so i add\remove program all of them and search their directories and remove them as well. not sure if i got them all though.?!
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, it would be much better if I saw those entries in a log. Give me time to check your original prelim.

    For your information, System Volume is where the System restore points are. It means there is malware in the restore points. At the end of cleaning, I'll have you remove the old restore points and create a new, lean one. For now, please do not use the system restore feature.logs. Malware in the restore points cannot infect the system unless you do a system restore and happen to choose a date that has malware. In the meantime:

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
    • If prompted to download and install the Recovery Console, please do so.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • If prompted to update, please allow.
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
    .
    I'll have you do an online scan for the AV:

    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Please leave the Combofix report and Eset log in your next reply.

    Please do not run any other cleaning programs while I am helping you. Don't make Registry changes or run a Registry cleaner.

    It is not necessary for you to list out entries in any antivirus log. I'm taking a break now and will be back in a bit to check the logs.
     
  4. mforgetable

    mforgetable TS Rookie Topic Starter

    eset and combofix logs

    sorry about the lapse in time. had some troubles with combofix installing and running. i made log of what happened if that is needed. otherwise, here are the two logs you requested. sorry about the avira logs as well. was the only thing i had. wont do it again.

    btw, upon completion of eset, it asks if i want to uninstall eset when finished. do i tick that box or not? i still have that page open.

    also i notice in CF log that it shows anitspyware and avira guard/shadow under running processes. i have free version of antispyware it doesnt do real-time protection. as for avira i opened it and ticked deactivate on the guard so that shouldnt have been running? im not sure what to do about that?

    when you say:
    I turned avira back on, (if it actually shut off) does that include the pop-ups from avira that it wants me to remove? Should i not remove them and just ignore avira for the time being? Also, windows keeps notifying me that updates are ready for my computer. I'm gonna take a wild guess and say that I should wait to do that?

    thank you for working through this with me as well! you are a saint! ;) i wait eagerly for your next instructions. thanks
     

    Attached Files:

  5. mforgetable

    mforgetable TS Rookie Topic Starter

    while CF was running it said it detected rootkit activity and needed to reboot as well as window popping up and and saying catchme.cfxxe-dll initialization failed. thought you might want to know.

    *** sorry for posting in other threads! its an open thread so i thought it was okay to say good luck. honestly didnt know it was bad. rules just say not to reply to yourself repeatedly and im not sure what else i can do while waiting for a response. i dont want to mess anything up. i wont do it again! promise. didnt mean to be rude or a pest. i know you are volunteers. i didnt mean to cause you trouble. sorry again! ***
     
  6. mforgetable

    mforgetable TS Rookie Topic Starter

    later, once removal completed

    if i may, if you have time that is. Once we have corrected my current issues, i would appreciate it if you could take a moment to help remove all the uneeded software and processes from my system. i've been reading up while waiting for a response and have taken a special interest here: (lol)

    http://www.techspot.com/vb/topic104136.html

    YOU state: (bobbye)

    if you please, i would rather NOT the latitude. your help would be greatly appreciated. thank you!
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You are throwing a lot of 'stuff' out and not allowing me the time to handle it. We are volunteers here, we do have a life. Mine took me away from the computer most of today, so if you will just sit back, stop the questions and let me review the logs, I would appreciate it.

    1. Yes, it's fine to turn the AV back on after running Combofix and/or Eset.
    2. Do not uninstall Eset yet. I will have you run it again.
    3. I would suggest you jut post the logs and not try to interpret them. If I note something that needs to be handled, such as the 'Real Time Protection' differently, I will let you know.
    4. As for running unnecessary process: every log I see has too many processes running. Most users don't take the time to learn what the processes are and if they need them to start on boot- and/or if a Service has to automatically start. There are numerous sites on the internet to help you with understanding this and what to do about it.. I don't have the time to review this, but, as you found, can suggest that users investigate their own systems and use a good search engine to learn what they are for and if they need to run all the time .

    I will try to leave you a couple of reference sites when we're finished.

    The Virus and Malware Forum is always busy-. And everyone wants/needs their problem fixed now. A cleaning can be very time consuming, so please sit back and allow me to review the logs.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You need to know that your antivirus program is outdated: AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:

    Code:
    File::
    C:\WINDOWS\hostsvr\hostsvr.exe
    c:\\WINDOWS\\system32\\winver.exe
    C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\WINSTART.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WINSTART.exe
    c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
    
    Folder::
    
    Registry::
    
    Driver::
    svchostsvr
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    You have this program installed from 2006- do you know what it is?
    2006-11-20 03:02 -------- d-----w- c:\program files\AOD
     
  9. mforgetable

    mforgetable TS Rookie Topic Starter

    i wish i could tell you but honestly i have no idea what that is. seen it before but didnt know what it was so i left it alone. working on combo fix now will have report shortly. THANK YOU. sorry about before. im over eager. sorry again
     
  10. mforgetable

    mforgetable TS Rookie Topic Starter

    okay CF complete log attatched.

    two errors when i ran it?
    1. CF pop-up OS compatible only works with windows 2000 and XP
    --- my only option was to click OK so i did but CF ran anyways
    2. system rebooted better than it has in awhile except upon reboot windows error
    WLAN configuration Utility has encountered a problem and needs to close.
    --- I clicked dont send to microsoft

    okay, ready for next instructions whenever you are. Thank you again for helping!
     

    Attached Files:

  11. mforgetable

    mforgetable TS Rookie Topic Starter

    as per message..

    I found out what the AOD thing is im pretty sure. its from a previous and very old installation of AOL. I thought i took out all that stuff. I got most of it. I guess i didnt get it all.

    quote from site:
    http://www.derkeiler.com/Newsgroups/microsoft.public.security/2004-07/0628.html

    Not sure if the site is important or not as per what it is. I dont use AOL. as im sure you can tell from logs. :D. it is the same file i had aol messenger in awhile back. its where it DL at. the folder is empty now though. at least it says it is.

    thanks for your time.
     
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please uninstall AOD in the Add/Remove Programs in the Control Panel . Then use Windows Explorer to remove the program file:
    Right click on Start> Explore> My computer> Double click on Local Drive (C)> Programs> find the AOD folder and right click> Delete.
    Close Windows explorer.

    It's a good idea to occasionally to review the programs listed on Add/Remove Programs. Any you don't use should be uninstalled.

    Please run TFC (Temp File Cleaner)

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

    Empty the Recycle Bin

    Follow with one more Eset scan:
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Rescan with HijackThis. Please leave the new Eset log and the new Hijackthis log. If they re clean, I'll have you remove the cleaning tools and old restore points.
     
  13. mforgetable

    mforgetable TS Rookie Topic Starter

    logs are attatched. thank you

    .

    It seems to be getting worse not better? Its running unbearably slow. Avira is turning on and off at will. i keep having to restart service. and everytime i try to open I.E. the desktop goes blank for about 5 mintues and then comes back and opens 2 windows? I.E. is running really really slow. attachment button is taking forever to load as well.
     

    Attached Files:

  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The only malware entries showing in the Eset log are:
    1. One entry in 'Qoobox'. This is the name of the quarantine folder for Combofix.
    2. Several entries in 'System Volume.' This is where the System Restore points are. These entries are not running in the system and can only cause a reinfection if you do a system restore and choose an infected restore point. I have you remove those at the end of cleaning.

    Please do the following:

    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    Remove all of the tools we used and the files and folders they created

    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    See how the system runs with the cleaning programs removed. The malware has also been removed. If your system problems continue, please start a new thread in the Windows OS forum. Give them your system information> make, model, hard drive size, installed RAM and an idea of the age of the system. They can help check your settings and maybe have you adjust for better performance.
     
  15. mforgetable

    mforgetable TS Rookie Topic Starter

    okay bobbye, as per your instructions, everything seems to be fine.
    super antispyware quit working on me though. froze up the computer on restart. I add/remove it. i hope that is not a problem.
    i kept 3 programs. Avira. Malwarebytes and CCleaner. is ccleaner okay to use on a regular basis? (once a week or so)
    also, if an antispyware is important, is there one other than super that is good? (was not the first time it froze the computer)
    i will be following your instructions as far as the OS forum. I know i need ram and have no idea where to start. lol

    other than that i just want to say a tremendous thank you to you! you have been wonderful. truly you are a saint to be helping people such as myself with this stuff. i really cant thank you enough for all this. also, sorry for being a pest at times ;) unfortunately, its second nature to me. :( again it was pleasure and i very much appreciate all you have done! Thank You! :wave:
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're welcome. Glad to help. If you know you need RAM, best to go ahead and get it. Some of the program we run, such as Malwarebytes, offer a free scan which is all we need. Some require that you purchase the program, if you plan on continued use. Here are some tips for security with links:

    Please follow these simple steps to keep your computer clean and secure:
    1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    2.Stay current on updates:
    • Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
    • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
    4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
    5. Use an AntiVirus Software(only one)
    See Virus, Spyware, and Malware Protection and Removal Resources

    6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
    Comodo or Zone Alarm
    7.Consider these programs for Extra Security
    • Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    • IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    • Google Toolbar Get the free google toolbar to help stop pop up windows.

    If I can be of further assistance, please let me know.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.