Malware help

By gibnihtmus
Jan 2, 2010
Topic Status:
Not open for further replies.
  1. I have a problem with google. When i search something and click on the link, it redirects me to other sites. Sometimes inappropriate sites. My parents use this computer to so this is pretty urgent please help.

    Attached Files:

  2. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,689   +153

    Try running the ESET Scanner:
    Scanner

    See if it picks up any additional things
  3. gibnihtmus

    gibnihtmus Newcomer, in training Topic Starter

    ok sorry for the late response i dont use the computer much on weekends

    im scanning it right now
  4. gibnihtmus

    gibnihtmus Newcomer, in training Topic Starter

    the scan detected nothing and the redirect thing is still happening
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    gibnihtmus, I'll help with the malware. The scan that you were instructed to run served no purpose at this point:

    1) I have noticed that there is no antivirus program running
    Good security demands, in part, that you have an up-to-date antivirus program. This protects the system against viruses, Worms and some Trojans. Without this protection, the system is more vulnerable to attacks. Since you do not have an antivirus program, please consider installing one of the following programs- Note: You should have only one antivirus program.
    Both of the following programs are free and known to be good:
    Avira Free
    OR
    Avast Home
    Please reboot the system after the installation is complete.

    Once the programs is installed, you should check for updates immediately.

    2) P2P or 'file sharing Warning:
    I see that you are using BearShare File Sharing Client
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall BearShare File Sharing Client for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    3) The system has Spybot, which is a spyware/adware program. It run a Real Time Protection (for spyware) TeaTimerthat you will need to disable while scanning:
    • Right click the TeaTimer icon in the system Tray [​IMG]
    • Then click Exit Spybot-S&D Resident
    • (One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe

    There are several Trojan Vundo files: Please do the following:

    4)] Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Then sve to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Double click on the setup you saved to the desktop to Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    5)Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt Please include this on your post.

    6)Rescan with HijackThis

    Summary in order of importance:

    • [1]. Get running antivirus program in system.
      [2]. Remove P2P pragram
      [3]. Disable TeaTimer
      [4]. Run Combofix ( attach report)
      [5]. Run Eset scan (attach log)
      [6], Rescan with Hijackthis (attach new log)[/u]

    Include the reports and logs for all of the above in your next reply.
  6. gibnihtmus

    gibnihtmus Newcomer, in training Topic Starter

    k im running the scan ill post the logs up in like 1-3 hours
  7. gibnihtmus

    gibnihtmus Newcomer, in training Topic Starter

    here are the logs

    the log.txt is the eset one

    Attached Files:

  8. gibnihtmus

    gibnihtmus Newcomer, in training Topic Starter

    i forgot to rescan the hijack this log that one was the old one. i just rescaned it

    Attached Files:

  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Did you trade Bearshare for Bit Torrent? See P2P Warning in Post #5.The entry in the JijackThis log for AppInit remains.

    The HijackThis rescan should follow the other programs that you are instructed to run. You ran HJT on Scan saved at 9:16:52 PM, on 1/5/2010. But you ran Combofix after on 01/06/2010 0:16.1.2 - x86. So try that again please. Delete the Combofix file on your desktop and scan again.

    After running Combifix, then rescan with HJT. Attach both report and log to next reply.

    Please delete this and do not use any file sharing programs while we are cleaning.
  10. gibnihtmus

    gibnihtmus Newcomer, in training Topic Starter

    ok i got rid of it sorry i forgot to delete that too

    Attached Files:

  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Have the redirects stopped? Are there any other malware related problems? If Yes/No, you can remove the cleaning tools and old restore points:

    Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    Remove all of the tools we used and the files and folders they created
    • DownloadOTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    The tool will delete itself once it finishes.

    If you are prompted to Reboot during the cleanup, select Yes.

    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you desire.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    More details and screenshots for Disk Cleanup in Windows Vista can be found here.

    If I can be of help in the future, please let me know.
     
  12. gibnihtmus

    gibnihtmus Newcomer, in training Topic Starter

    ok thanks it fixed the problem
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You're welcome. Here are some tips to help keep it clean!

    Please follow these simple steps to keep your computer clean and secure:
    1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

    System Restore Guide


    2.Stay current on updates:
    • Visit the Microsoft Download Sitefrequently.
      You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP2
    • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

    3.Make Internet Explorer safer. Follow the suggestions HERE
    This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

    4.Remove Temporary Internet Files regularly: Use5. Use an AntiVirus Software(only one)
    6.Use a good, bi-directional firewall(one software firewall)
    See Understanding and Using Firewalls including links to download a firewall.

    7.Consider these programs for Extra Security
    • Spywareblaster:
    • SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    • IE/Spyad
    • This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    • Google Toolbar Get the free google toolbar to help stop pop up windows.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.