Redirecting virus for search engines

Status
Not open for further replies.
4

4646asdfasdf

Posts: 19   +0
Hi guys! im new to this forum. Plessure to meet you all.

Few days ago I was infected with multiple viruses and spy-wares. After running Superantispyware and Malwarebytes I was able to clean my computer up almost completely. Then I went on google or yahoo to search for something when I noticed that I keep getting redirected to some random site. My Firefox block the website saying it was malicious. So I used Internet Explore to see if there was any difference. After, I've noticed that I had the same problem but this time, I did got redirected to some random website instead of getting blocked like Firefox. I try running complete scans for the two anti-spywares I used but they both said that I had no malicious components in my computer. Please help me!
 

Attachments

  • mbam-log-2010-01-02 (23-14-03).txt
    845 bytes · Views: 3
  • SUPERAntiSpyware Scan Log - 01-02-2010 - 22-11-31.log
    465 bytes · Views: 3
Welcome to TechSpot, 4646asdfasdf. I'll help with the malware.

Understand that when Firefox blocks a site and makes it as 'Malicious' or 'Fraud' it can be a problem with the actual site you are trying to access-or-it can be due to malware redirecting to a bad site.

I would also like to mention that you have a great many processes starting and running in the background- for example, your printer, scanner, camera, imaging programs, auto-update other than for Windows Updates. None need to start on boot, then run in the background using your resources. when you need to use the program-including the printer, either Start for All Programs, or use the Print feature in File.

Please reopen HijackThis to 'd system scan only.' Check the following entries if found:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop

Close all Windows except HijackThis \and click on "Fix Checked".

You also need to update the Adobe Reader. you have v7, current is v9.xx. This can be a source of vulnerability:
Visit this Adobe Reader site and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.


Other than the few entries I left, we're not seeing the malware. Please do the following:
Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  • Run Combo-Fix.exe and follow the prompts.
    (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
  • Wait for the scan to be completed.
  • If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please attach the Combofix report and Eset scan log to your next reply.

Rescan with HijackThis and include a new log.
 
I only got the ESET scanner log and fixed hijack enteries. I still need to do combofix. I attach the log to this post. Sorry for my slow delay. I will try to get combofix ASAP!
 

Attachments

  • log.txt
    2.2 KB · Views: 5
On the side note, ESET scanner seemed to do the job. My redirecting problem is complete gone. I test on google links for over 5 minutes.
I will post combofix log tomorrow to see if there's still remaining viruses left in my computer.
Thank you for your help and am extremely grateful~
 
The Eset instructions say "do not check for removal." It appears that you did. Let's wait for the Combofix report. Just because the main original problem was resolved does not mean the system is malware free.

Attach that report to your next reply.
Then update and run the Eset scan again
[*] Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
Click to expand...

Attach new log.
 
Okay, Eset is clean. Redirect has been resolved. Hold on Combofix and rescan with Hijackthis. Attach a new log. If problems have been resolved and HJT looks okay, I'll have you remove the cleaning tools and old restore points.
 
Unfortunately, this is an example of what can happen when cleaning goes on for so long.

O20 - AppInit_DLLs: C:\WINDOWS\system32\kbdsock.dll>>KBDSOCK.DLL is Trojan/Backdoor.

The file KBDSOCK.DLL was first observed on Jan 06 2010 and last seen on Jan 12 2010.

Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

Important! Save the renamed download to your desktop.
  • Double click on the setup file on the desktop to run
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  • Query- Recovery Console image
    RcAuto1.gif

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Follow with a new Eset online scan:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
Attach Combofix report and new Eset log to next reply.

I also noticed the Backweb updater in the Logitech Desktop Messenger. This isn't new- didn't see it previously. I will suggest you remove it next round. It has frequently been said that Backweb does more than updating!
 
Combo fix log. Also for Backweb, do you want me to uninstall Logitech Desktop Manager?
 

Attachments

  • Combofix log.txt
    19.7 KB · Views: 3
Thank you. Please go to the Control Panel> Java> Temporary Internet Files> Settings> Click on Delete files. Close.

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    :Processes	

:Services

:Reg

:Files  
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\53\4f6fda35-1c0d9329	

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
---------------------------------------
I'm asking someone a question about one of the Combofix deletions so will be back. Go ahead and do this.
About the Logitech Desktop Manager: if you use the program, you can keep it. If not, uninstall it.
But you can just uninstall BackWeb if you want. It should appeare separately in Add/Remove Programs in the Control Panel.
 
Backweb isn't in Add/Remove Programs. Its in the folder Logitech Messenger> Program. When i try deleting it from Program it won't let me
 
It's not going to let you delete it if it's running: try this:

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

The full path is: C:\Program\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

Use Windows Explorer: Right click on Start> Explore> Tools> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck 'hide protected system files'> Apply> OK

Navigate to My Computer> Local Drive (C)> Programs> Click on Logitech Desktop Messenger> do a right click> delete on BackWeb-8876480.exe> Close

Go back and hide the files and folders.

Comment on BackWeb:
Any file that accesses the internet without my knowledge I consider dangerous. If enough of these kind of background programs are installed they will eventually slow down even the fastest computer.

But I believe the vendors should give a warning and let the end users make up their own minds as to whether or not the product is installed. Lets face it - you can always download a software patch from a vendors website - you don't need constant monitoring. BackWeb is also bundled with the Kodak Easyshare software, Western Digital and others.
 
Regarding backweb, I just went ahead and uninstall the whole Logitech Destop Manager because I realized that I rarely use it.
 
The Trojan should be gone. I've asked someone to take a look at the Combofix deletions. We may need to repair some files.
 
If ComboFix asks you to update, allow it.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\18467.exe
c:\windows\system32\41.exe
c:\windows\system32\drivers\ksbxhns.sys

Folder::

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d84919fb-c4ed-11de-83ad-0017310e5cac}]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ksbxhns]

Driver::
ksbxhns

KILLALL::
Click to expand...

Save this as CFScript.txt, in the same location as ComboFix.exe


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
 
I have problem my original combo-fix dissapeared. So i tried to download new one and drag CFScript into it, but it didn't work. It said the installation was corrupted and that i should download fresh copy, which i did but still didn't work.
 
Status
Not open for further replies.

Similar threads

midian182
Google's AI-powered search can recommend malicious sites, including scams and malware
Replies
6
Views
141
James Ryan
J
M
Virus warning popup
Replies
1
Views
541
Mark Fuller
M
A
A clever Google-hosted, malicious ad fakes the KeePass website
Replies
3
Views
302
Fastturtle
F

Latest posts

Back