also @ TechSpot: Bill Gates is once again the richest person in the world

Malware redirecting pages in Google results

Discussion in 'Virus and Malware Removal' started by hasek747, Jun 4, 2011.

Page 3 of 4

  1. hasek747 Newcomer, in training Posts: 46

    Ahhh, I mis-read your last post; sorry. Will post the OTL report asap.
    hasek747, Jun 4, 2011
    #41

  2. hasek747 Newcomer, in training Posts: 46

    Here are the OTL Fix results...



    All processes killed
    ========== OTL ==========
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{855F3B16-6D32-4fe6-8A56-BBB695989046} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{855F3B16-6D32-4fe6-8A56-BBB695989046}\ not found.
    Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\ deleted successfully.
    Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{855F3B16-6D32-4fe6-8A56-BBB695989046} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{855F3B16-6D32-4fe6-8A56-BBB695989046}\ not found.
    Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
    Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\ not found.
    Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{855F3B16-6D32-4fe6-8A56-BBB695989046} not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{855F3B16-6D32-4fe6-8A56-BBB695989046}\ not found.
    Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
    Registry value HKEY_USERS\S-1-5-21-448539723-1580436667-839522115-500\Software\Microsoft\Internet Explorer\URLSearchHooks\\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}\ not found.
    Registry value HKEY_USERS\S-1-5-21-448539723-1580436667-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
    Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\\ deleted successfully.
    Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\\KeyScrambler deleted successfully.
    Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\ not found.
    Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\KeyScrambler not found.
    Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\ deleted successfully.
    Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
    Registry key HKEY_USERS\S-1-5-21-448539723-1580436667-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mks.com.pl\ deleted successfully.
    Starting removal of ActiveX control {31435657-9980-0010-8000-00AA00389B71}
    C:\WINDOWS\Downloaded Program Files\wvc1dmo.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{31435657-9980-0010-8000-00AA00389B71}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{31435657-9980-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
    Starting removal of ActiveX control {41564D57-9980-0010-8000-00AA00389B71}
    C:\WINDOWS\Downloaded Program Files\wmvadvd.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{41564D57-9980-0010-8000-00AA00389B71}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41564D57-9980-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{41564D57-9980-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41564D57-9980-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{09b14c8a-d72a-11de-9e79-00508db38651}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09b14c8a-d72a-11de-9e79-00508db38651}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{09b14c8a-d72a-11de-9e79-00508db38651}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09b14c8a-d72a-11de-9e79-00508db38651}\ not found.
    File E:\LaunchU3.exe -a not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{119fdc08-dc67-11de-9e82-00508db38651}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{119fdc08-dc67-11de-9e82-00508db38651}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{119fdc08-dc67-11de-9e82-00508db38651}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{119fdc08-dc67-11de-9e82-00508db38651}\ not found.
    File F:\USBAutoRun.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4b4d141d-e897-11dd-9dd7-00508db38651}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4b4d141d-e897-11dd-9dd7-00508db38651}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f831d700-f05c-11dd-9de0-00508db38651}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f831d700-f05c-11dd-9de0-00508db38651}\ not found.
    File sal.xls.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f831d700-f05c-11dd-9de0-00508db38651}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f831d700-f05c-11dd-9de0-00508db38651}\ not found.
    File C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fb53266c-9192-11df-9eed-00508db38651}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fb53266c-9192-11df-9eed-00508db38651}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fb53266c-9192-11df-9eed-00508db38651}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fb53266c-9192-11df-9eed-00508db38651}\ not found.
    File F:\laucher.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\ not found.
    File E:\USBAutoRun.exe not found.
    C:\Documents and Settings\Administrator\Pulpit\~WRL3129.tmp deleted successfully.
    C:\Documents and Settings\Administrator\Pulpit\~WRL3616.tmp deleted successfully.
    C:\Documents and Settings\Administrator\Pulpit\~WRL3845.tmp deleted successfully.
    C:\Documents and Settings\Administrator\Pulpit\~WRL3879.tmp deleted successfully.
    C:\WINDOWS\System32\ConduitEngine.tmp deleted successfully.
    C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
    C:\WINDOWS\msdownld.tmp folder deleted successfully.
    C:\WINDOWS\tasks\Neohnesmrv.job moved successfully.
    C:\WINDOWS\system32\1306868180.(null) moved successfully.
    C:\WINDOWS\system32\XAPOFX1_1E.dll moved successfully.
    ADS C:\Documents and Settings\All Users\Dane aplikacji\TEMP:B0A96209 deleted successfully.
    ADS C:\Documents and Settings\All Users\Dane aplikacji\TEMP:9BC7427F deleted successfully.
    ADS C:\Documents and Settings\All Users\Dane aplikacji\TEMP:C05A8628 deleted successfully.
    ADS C:\Documents and Settings\All Users\Dane aplikacji\TEMP:723BF4A6 deleted successfully.
    ADS C:\Documents and Settings\All Users\Dane aplikacji\TEMP:DFC5A2B2 deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 171082812 bytes
    ->Temporary Internet Files folder emptied: 57264663 bytes
    ->Java cache emptied: 66100115 bytes
    ->FireFox cache emptied: 111657403 bytes
    ->Google Chrome cache emptied: 276462628 bytes
    ->Apple Safari cache emptied: 22936576 bytes
    ->Opera cache emptied: 15403042 bytes
    ->Flash cache emptied: 2181749 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 38784 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 119962 bytes

    User: LogMeInRemoteUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: postgres
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Test
    ->Temp folder emptied: 69847527 bytes
    ->Temporary Internet Files folder emptied: 181589097 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 4490121 bytes
    ->Google Chrome cache emptied: 6099312 bytes
    ->Flash cache emptied: 58829 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 23259324 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 962.00 mb


    [EMPTYFLASH]

    User: Administrator
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: LocalService

    User: LogMeInRemoteUser

    User: NetworkService

    User: postgres

    User: Test
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.23.0 log created on 06042011_223738

    Files\Folders moved on Reboot...
    File\Folder C:\WINDOWS\temp\hsperfdata_SYSTEM\1968 not found!

    Registry entries deleted on Reboot...
    hasek747, Jun 4, 2011
    #42

  3. hasek747 Newcomer, in training Posts: 46

    Hmm, not sure if this is permanent, but it seems that the problem has disappeared temporarily - I haven't experienced the redirect for the past 15 minutes, even though I've opened A LOT of pages for testing purposes :) either way, if there is anything I should do next, let me know.

    I'll post an update soon of how things are going in any case!
    hasek747, Jun 4, 2011
    #43

  4. hasek747 Newcomer, in training Posts: 46

    Damn, it really seems the problem is gone! :)

    What exactly was the issue, do you reckon?

    Thanks a ton for your time and help man!
    hasek747, Jun 4, 2011
    #44

  5. Broni Malware Annihilator Posts: 39,288   +175

    Good news :)

    Well, each tool we ran so far removed some issues, so without knowing at what stage of our cleaning process redirection stopped, it's hard to say what was the main issue.
    I'm glad, we fixed it :)

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
    Broni, Jun 4, 2011
    #45

  6. hasek747 Newcomer, in training Posts: 46

    I'm 95% certain the issue wasn't fixed until the last step - applying fixes in OTL :)

    I'll post the other logs asap (working on it.)
    hasek747, Jun 4, 2011
    #46
     

  7. Broni Malware Annihilator Posts: 39,288   +175

    OK :).......
    Broni, Jun 4, 2011
    #47

  8. hasek747 Newcomer, in training Posts: 46

    Security Check log follows. A few explanations:

    1. Windows firewall is disabled because I'm running Comodo
    2. I installed Avira, as I didn't feel comfortable without an anti-virus anymore, hope that's not a problem and doesn't affect anything.
    3. I don't use Internet Explorer at all, so it being outdated shouldn't be a problem, right?
    4. Not sure why it says Java is out of date, we just fixed that.


    Results of screen317's Security Check version 0.99.7
    Windows XP Service Pack 3
    Internet Explorer 7 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:
    Windows Security Center service is not running! This report may not be accurate!
    Avira AntiVir Personal - Free Antivirus
    Antivirus out of date! (On Access scanning disabled!)
    ```````````````````````````````
    Anti-malware/Other Utilities Check:
    Ad-Aware
    MVPS Hosts File
    SpywareBlaster 4.4
    Java(TM) 6 Update 25
    Out of date Java installed!
    Adobe Flash Player 10.1.102.64
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent
    Ad-Aware AAWService.exe
    Ad-Aware AAWTray.exe
    Avira Antivir avgnt.exe
    Avira Antivir avguard.exe
    Comodo Firewall cmdagent.exe
    Comodo Firewall cfp.exe
    ``````````End of Log````````````
    hasek747, Jun 4, 2011
    #48

  9. Broni Malware Annihilator Posts: 39,288   +175

    1. Fine
    2. Fine
    3. No, IE is a part of Windows and even, if you don't use it, it's still there, thus must be kept up to date.
    4. Your Java is fine.

    All I need is Eset scan...
    Broni, Jun 4, 2011
    #49

  10. hasek747 Newcomer, in training Posts: 46

    Temp files removed. Now the virus scan.
    hasek747, Jun 4, 2011
    #50

  11. Broni Malware Annihilator Posts: 39,288   +175

    OK................
    Broni, Jun 4, 2011
    #51

  12. hasek747 Newcomer, in training Posts: 46

    By the way, just sent you a small paypal donation - nothing big as I don't have a lot, but please consider this a thank you :)
    hasek747, Jun 4, 2011
    #52

  13. Broni Malware Annihilator Posts: 39,288   +175

    Ahh, That's very nice of you :)
    Thank you :)
    Broni, Jun 4, 2011
    #53

  14. hasek747 Newcomer, in training Posts: 46

    Scan still running, and given that it has only scanned 27000 files so far (I think I have around 90,000) I suspect it could take quite a while :) I'll paste as soon as it's ready, or tomorrow morning if I go to sleep before it happens (it's past midnight here) :)

    Thanks again for your help! If it turns out the problem wasn't actually gone I won't hesitate to post :)
    hasek747, Jun 4, 2011
    #54

  15. hasek747 Newcomer, in training Posts: 46

    By the way; rather than start a new thread, I'll use this topic to ask you for advice / an opinion.

    You could say that I take the security of my computer quite seriously, although not as seriously as I should given how much sensitive data I tend to store and process. What I'm trying to do is compile the best possible protection I can have (coupled of course with common sense and caution :)

    I'm thinking of....

    1. Avira
    2. Ad-Aware + Spyware Blaster
    3. Comodo
    4. regular GMER scans

    What do you think? Do you think I should add / change something, perhaps go for paid software (I'm willing to do that if it is worth it.)
    hasek747, Jun 4, 2011
    #55

  16. Broni Malware Annihilator Posts: 39,288   +175

    Ad-aware is a tool of the past.
    You can safely uninstall it.
    In addition to what you listed, you should use MBAM regularly.
    Broni, Jun 4, 2011
    #56

  17. hasek747 Newcomer, in training Posts: 46

    Cool, will do - thanks!

    Anything specific for protecting oneself against keyloggers (prevention mostly)? Those are the ones I'm most paranoid about.
    hasek747, Jun 4, 2011
    #57

  18. Broni Malware Annihilator Posts: 39,288   +175

    Not really. Make sure, you know, who's using your computer :)
    Broni, Jun 4, 2011
    #58

  19. hasek747 Newcomer, in training Posts: 46

    Luckily I'm the only one who does :)

    ESET scan almost done, 94%....
    hasek747, Jun 4, 2011
    #59

  20. Broni Malware Annihilator Posts: 39,288   +175

    You should be fine then....
    Broni, Jun 4, 2011
    #60
Page 3 of 4
Topic Status:
Not open for further replies.

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.