Another Redirect Virus here.

July 5, 2009 at 18:06:35
Specs: Windows XP
My problem is on both IE and Firefox. I also started the process stated in some of the other posts D/L AVZ. I unzipped it and clicked the AVZ.EXE and the program came up. I cut and paste the script, it did reboot, but now I cant find the log. When I drag the EXE file over to my desktop and try to click it, all the clickable icons have jibberish in them. It looks fine if I click it right from th RAR program used to unzip it.


Gateway P4 2.6GHz
DDR PC2 gig RAM
IE 7


See More: Another Redirect Virus here.

Report •


#1
July 5, 2009 at 18:51:20
Follow:
1) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, fix anything detected.

2) House cleaning. Run full Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#2
July 6, 2009 at 10:31:10
Malwarebytes' Anti-Malware 1.38
Database version: 2378
Windows 5.1.2600 Service Pack 3

7/6/2009 7:07:53 AM
mbam-log-2009-07-06 (07-07-53).txt

Scan type: Full Scan (C:\|)
Objects scanned: 284093
Time elapsed: 1 hour(s), 55 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7998DC37-D3FE-487C-A60A-7701FCC70CC6}\InprocServer32\(default) (Hijack.Repdrvfs) -> Bad: (\\?\globalroot\systemroot\installer\f87482e.msi) Good: (repdrvfs.dll) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
c:\documents and settings\Leslie's\local settings\Temp\2F80.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Leslie's\local settings\Temp\cpnprt2.cid (Adware.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Leslie's\local settings\Temp\~TM2F85.tmp (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\Leslie's\local settings\temporary internet files\Content.IE5\ACYG5G08\fivijnnboc[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{7dca1be4-d752-48d6-a25e-c722c8fd1bc4}\RP608\A0250266.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINNT\system32\UAClxraurftqlkfuodqb.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINNT\system32\wbem\proquota.exe (Worm.KoobFace) -> Quarantined and deleted successfully.

Gateway P4 2.6GHz
DDR PC2 gig RAM
IE 7


Report •

#3
July 6, 2009 at 10:35:29
I left out the Cookies in this log too many, CN wont take this huge post.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/06/2009 at 08:31 AM

Application Version : 4.26.1006

Core Rules Database Version : 3973
Trace Rules Database Version: 1913

Scan type : Complete Scan
Total Scan Time : 01:07:44

Memory items scanned : 705
Memory threats detected : 0
Registry items scanned : 6936
Registry threats detected : 19
File items scanned : 29926
File threats detected : 491
Adware.SideStep Toolbar
HKLM\Software\Classes\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}
HKCR\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}
HKCR\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}\Implemented Categories
HKCR\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}\InprocServer32
HKCR\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}\InprocServer32#ThreadingModel

Rootkit.Agent/Gen
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#start
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#type
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#imagepath
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#group
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#UACd
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#UACc
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#uacbbr
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#uacsr
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#uacmask
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#uacserf

Trace.Known Threat Sources
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\508KXQPK\f17118dbf1444d7de961949b6b40d7b4-vega4[1].json
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\MB4QK9ZC\9b26bba2750f5[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\P8SBI7LK\cached-view[1].js
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\MB4QK9ZC\4a9b133fa5dba[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\P8SBI7LK\cached-view[1].css
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\3P1PWK3A\feed9c419959266f0581c89205bef170-vega4[1].htm
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\9GR6HM24\log[1]
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\W7HI2FQ4\fd515cdb843a3[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\JILHOQH5\e5152531ab33d[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\X5YPMH4Y\crossdomain[2].xml
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\EY5QJ9L3\3cff54ca7bad1[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\37V5FFDT\log[1]
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\0Z872ZZK\2df4652d42481[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\VBPKZ2RZ\fc8c30658a215[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\W7HI2FQ4\848b2accbd4a2[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\3P1PWK3A\c1bc94b8dd164[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\MB4QK9ZC\control[1].xml
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\JDJMC4YW\log[1]
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\JDJMC4YW\8a8f5369ece99[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\JDJMC4YW\log[2]
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\0Z872ZZK\log[2]
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\MB4QK9ZC\log[1]
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\7O8DD8LA\AdPlayer8-17.3_010961[1].swf
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\3P1PWK3A\4b5abb77967f4[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\IB3YIIFR\inroll[1].xml
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\IB3YIIFR\player[2].swf
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\JILHOQH5\cached-view[1].js
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\7O8DD8LA\fcd9117442f46[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\9GR6HM24\feed9c419959266f0581c89205bef170-vega4[2].htm
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\IB3YIIFR\feed9c419959266f0581c89205bef170-vega4[2].htm
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\QVGMH2M1\403e55aaec2bf[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\7O8DD8LA\player[4].swf
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\9GR6HM24\feed9c419959266f0581c89205bef170-vega4[1].htm
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\7O8DD8LA\f17118dbf1444d7de961949b6b40d7b4-vega4[2].json
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\9GR6HM24\f17118dbf1444d7de961949b6b40d7b4-vega4[1].json
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\IB3YIIFR\b93905b216994[2].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\QVGMH2M1\9a341e2a35110[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\7O8DD8LA\player[5].swf
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\QVGMH2M1\ffdd1ab5d1e29[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\QVGMH2M1\35da8a417563c[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\QVGMH2M1\403e55aaec2bf[2].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\TWFT7CJB\431c34d2690f4[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\TWFT7CJB\f17118dbf1444d7de961949b6b40d7b4-vega4[1].json
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\9GR6HM24\feed9c419959266f0581c89205bef170-vega4[3].htm
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\9GR6HM24\313532125481b[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\XXDPOORG\player[1].swf
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\0Z872ZZK\313532125481b[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\IB3YIIFR\cached-view[1].css
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\W7HI2FQ4\958e8cf692d15[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\TWFT7CJB\8b1b36f31860d[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\0Z872ZZK\0829eafbec022[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\EY5QJ9L3\cached-view[1].js
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\W7HI2FQ4\f17118dbf1444d7de961949b6b40d7b4-vega4[1].json
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\VBPKZ2RZ\bc74f9eb86345[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\0Z872ZZK\player[2].swf
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\EY5QJ9L3\59203773d188b[1].jpg
C:\Documents and Settings\Leslie's\Application Data\Local Settings\Temporary Internet Files\Content.IE5\JILHOQH5\player[1].swf
C:\Documents and Settings\Leslie's\Local Settings\Temporary Internet Files\Content.IE5\C0ULZBRN\crossdomain[2].xml

Gateway P4 2.6GHz
DDR PC2 gig RAM
IE 7


Report •

Related Solutions

#4
July 6, 2009 at 10:40:07

Report •

#5
July 6, 2009 at 11:00:12
Actually... After using both Firefox, and IE. Google is doing what its supposed too. No more fake sites. Obviously this is a good sign, do I need to do anything else??

Gateway P4 2.6GHz
DDR PC2 gig RAM
IE 7


Report •

#6
Report •

#7
July 6, 2009 at 18:49:59
I ran the scan it fixed more problems but said it couldnt fix one that had something to do with Trojan Win32/Alureon.gen? This doesnt sound good. What next?? It didnt offer a summary notepad either.

Gateway P4 2.6GHz
DDR PC2 gig RAM
IE 7


Report •

#8
July 6, 2009 at 18:52:47
Yeh that is rootkit. Follow these steps in order numbered:

1) Download GMER: http://gmer.net/download.php
[This version will download a randomly named file (Recommended).]

2) Disconnect from the Internet and close all running programs.

3) Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

4) Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.

5) GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)

6) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.

7) Now click the Scan button. If you see a rootkit warning window, click OK.

8) When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log and upload it rapidshare.com. Post the download link to the uploaded file in your post.

9) Exit GMER and re-enable all active protection when done.

Note: Please give me the exact name of the file you downloaded in step 1 + post your log from step 8 in your next post.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#9
July 7, 2009 at 05:11:26
wg0kgirs: (this is the name of the file i D/L for Gmer.)

http://rapidshare.com/files/2529933...
MD5: 62D42A235B2E35FD91A851A0394D4962

Gateway P4 2.6GHz
DDR PC2 gig RAM
IE 7


Report •

#10
July 7, 2009 at 07:24:55
Is your original problem fixed?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#11
July 7, 2009 at 08:23:42
I think it is. Havent had anymore redirects, just worried about that thing Onecare found and couldnt fix. (as posted above).

Gateway P4 2.6GHz
DDR PC2 gig RAM
IE 7


Report •

#12
July 7, 2009 at 08:26:18
Run a full scan with http://www.eset.com/onlinescan/
# Check the box next to YES, I accept the Terms of Use.
# Click Start
# When asked, allow the activex control to be installed.
# Click Start
# Check below options:

    * Remove found threats
    * Scan archives
    * Scan for potentially unwanted applications (Advance Settings).
    * Enable Anti-Stealth technology (Advance Settings).

# Click Scan
# Wait for the scan to finish
# When it finishes it will create a log file here: C:\Program Files\ESET\ESET Online Scanner\log.txt
# Attach this logfile to your next message.

Illustrated tutorial: http://img155.imageshack.us/img155/...

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#13
July 7, 2009 at 17:45:06
I dont know if this means much but my Mcshield.exe seems to be taking a lot of my cpu. averaging 163,000k. the scan took almost 4 hours, cpu was running 75% most of the scan.
Just thought I would mention it. Also do I delete the quarantined file as promped, and do i uninstall or leave it?

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5886
# api_version=3.0.2
# EOSSerial=8862b6e660a1774d848adcaeab55f350
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-07-08 12:38:49
# local_time=2009-07-07 07:38:49 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 21 100 88 458347199531250
# scanned=181263
# found=1
# cleaned=1
# scan_time=13307
C:\Documents and Settings\Leslie's\Local Settings\Temporary Internet Files\Content.IE5\KE85UKUC\wfcdqr[1].htm a variant of Win32/Kryptik.VM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Gateway P4 2.6GHz
DDR PC2 gig RAM
IE 7


Report •

#14
July 7, 2009 at 17:58:49
Your system seems clean. If you still have your original problem let me know.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#15
July 7, 2009 at 18:03:12
Great, thanks Neo. You guys are the coolest.

Gateway P4 2.6GHz
DDR PC2 gig RAM
IE 7


Report •


Ask Question