sp.dll infection

[kosmic94]

The first scan that was stopped is because I realized I didn't disable the avast shields and wanted to make sure that hadn't interfered with the rootkit scan (which apparently it didn't, since Stinger didn't/couldn't do the scan anyway):

McAfee® Labs Stinger Version 10.2.0.562 built on Mar 29 2012

Copyright © 2011 McAfee, Inc. All Rights Reserved.

Virus data file v9999.0000 created on Mar 29 2012.

Ready to scan for 4228 viruses, trojans and variants.

Scan initiated on Thu Mar 29 11:12:59 2012

Rootkit scan result : Not Scanned

No files scanned

Scan initiated on Thu Mar 29 11:13:37 2012

Rootkit scan result : Not Scanned

Master Boot Record(s):....1

Possibly Infected:.............0

Boot Sector(s):.................1

Possibly Infected: ............0

Number of clean files: 24334

As a matter of fact, I was just looking for the Download Manager plugin for this version of Firefox on Google and still got redirected when I clicked a link, to a site called "Gimmie Answers," and all you see there is just this SQL error statement. I can go get a screenshot if you like.

Also, I don't know if this is related to the virus or not, but a while ago, my computer couldn't start for anything, and after rebooting several times, it finally ran CHKDSK on its own, which repaired a couple errors and allowed it to start. Again, not sure if that's related to this virus or not, but thought I'd mention it.

-kosmic94

[kosmic94]

By the way, I should note that as to the hard drive scan/comp crash I mentioned, by "a while ago" I mean before I started having Google redirect problems and the avast shield alerts, so before I noticed at least these symptoms of the virus.

-kosmic94

[Maurice Naggar]

a)

As a matter of fact, I was just looking for the Download Manager plugin for this version of Firefox on Google and still got redirected when I clicked a link, to a site called "Gimmie Answers," and all you see there is just this SQL error statement. I can go get a screenshot if you like.

You do not need any plugin or any download manager to get Firefox updated & current.

Start Firefox. Choose Help from Firefox menu bar, then About. Follow the onscreen prompts.

If you cannot follow that, or have an issue, I will beg off and have you pursue on your own support at Firefox.

b)

Also, I don't know if this is related to the virus or not, but a while ago, my computer couldn't start for anything, and after rebooting several times, it finally ran CHKDSK on its own, which repaired a couple errors and allowed it to start. Again, not sure if that's related to this virus or not, but thought I'd mention it.

Not related to malware.

It is standard for Windows to run CHKDSK at startup and you will certainly see it "if" Windows was not shutdown properly or if Windows abended on the prior run.

c) It's nearing the end of the hunt for infections. There are none left that I know of.

Suggest you start AVAST.

Do an Update run

Then do a scan of this system

Let me know the results, and do not go away, because we will have other steps to remove tools used.

[kosmic94]

a)

You do not need any plugin or any download manager to get Firefox updated & current.

Start Firefox. Choose Help from Firefox menu bar, then About. Follow the onscreen prompts.

If you cannot follow that, or have an issue, I will beg off and have you pursue on your own support at Firefox.

I meant I was looking for a plugin for my program, Free Download Manager, so that, when I click a download link in Firefox, it will download with FDM instead of the built-in downloader...

b)

Not related to malware.

It is standard for Windows to run CHKDSK at startup and you will certainly see it "if" Windows was not shutdown properly or if Windows abended on the prior run.

I don't believe it's standard for Windows to try to start several times and fail each time and then have to run CHKDSK as an emergency solution to allow bootup.

c) It's nearing the end of the hunt for infections. There are none left that I know of.

Suggest you start AVAST.

Do an Update run

Then do a scan of this system

Let me know the results, and do not go away, because we will have other steps to remove tools used.

I have run a full scan with avast before now and nothing came up. Just this morning I did a quick scan and nothing came up, and the first thing I did when I got this infection was to run a "Comprehensive Scan" (a custom scan I input that scans every single file on the entire computer on max heuristics) and it found nothing of consequence. If you really think it's worth it I can go do it again but it sounds like a waste of time.

Do you think anyone else might be able to figure out what's wrong?

-kosmic94

[kosmic94]

Just guessing, but perhaps an NMap scan to my own IP could tell if there is a backdoor open? That way I'd know if I'm in much danger or not. Bear in mind I really know nothing about nmap or computer tech at all, I'm just guessing here from what little I do know.

-kosmic94

[Maurice Naggar]

Define "what" you mean by wrong?

What I saw worng was the sp.dll associated with Minecraft (now gone) and the files tagged and deleted by ESET scan (those mainly being files downloaded before)

I may mention too that the downloads tagged do not reflect good practice.

If you wish to see if someone else will volunteer to help you, let me know. You will have to wait your turn at the back of the queue. The malware-help forum is very busy.

[kosmic94]

Define "what" you mean by wrong?

The virus? Whatever's redirecting Google searches? If I knew exactly what was wrong, that would mean I was knowledgeable about computer tech, and if I was, I would simply fix the issue myself. Unfortunately, I can't do that.

If you wish to see if someone else will volunteer to help you, let me know. You will have to wait your turn at the back of the queue. The malware-help forum is very busy.

I guess I'll have to? I don't know, if you think no one will know what the issue is, maybe it's not worth it. My mother has used this computer for transactions before and there has been no theft of any kind, but that could just mean that the virus wasn't on here when she was using it for those things, or it could mean the virus is not a threat, or is just adware, or annoyance-ware or some such thing. If I knew, I would deal with it myself. I'm here because I don't. What I can say is that if there's nothing more that can be done, we will simply have to continue using this computer and just cross our fingers, because we certainly cannot afford a new one right now, and there is too much vitally important data on here to re-install the OS.

-kosmic94

[Maurice Naggar]

Viruses is not what this system had. It's more in the possible nature of a trojan.

A suspecious DLL and some dodgy downloads have been removed.

This system "may" have some serious backdoor trojans, spyware.

This is a point where you need to decide about whether to make a clean start.

IF there is a backdoor trojan, this allows hackers to remotely control your computer, steal critical system information, and download and execute files.

You are strongly advised to do the following immediately.

1. Call your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.

3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh. While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions. I would recommend that you do a full reformat and reinstall of Windows rather than clean the system.

I suggest that you backup important files and reinstall everything from scratch. There are so many changes that could have been done if that backdoor was used.

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo...backdoor-trojan

Danger: Remote Access Trojans http://www.microsoft...o/virusrat.mspx

Consumers – Identity Theft http://www.ftc.gov/b...mers/index.html

When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451

Rootkits: The Obscure Hacker Attack http://www.microsoft...tip/st1005.mspx

Help: I Got Hacked. Now What Do I Do? http://www.microsoft...gmt/sm0504.mspx

Help: I Got Hacked. Now What Do I Do? Part II http://www.microsoft...gmt/sm0704.mspx

Microsoft Says Recovery from Malware Becoming Impossible http://www.eweek.com...,1945808,00.asp

You definetely now need to make backups to offline media (like removable USB-drive, CD, or DVD) all the important personal documents, files, etc

That is in case the worst turns into worst. But in any event, you always need backups, in any event.

I am looking for possible volunteer to take over this case.

[kosmic94]

Okay. Here's updated DDS, in case it will be helpful.

-kosmic94

Attach.txt

DDS.txt

[Maurice Naggar]

Go to Control Panel, then Un-install Coupon Printer for Windows

Next:

1. Open Internet Explorer.

2. Click "Tools," and then click "Internet Options."

3. Click "Connections," and then click "LAN Settings."

4. Make sure the check boxes for "Automatically detect settings" and "Use automatic configuration script" are not selected.

5. Make sure the Proxy server box is un-checked.

5. Apply changes & OK

Next:

• Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
  >> from here <<
  
• Quit all programs that you may have started.
  
• For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
  For Windows XP, double-click to start.
  
• Wait until Prescan has finished ...
  
• Then Click on Scan button at upper right of screen.
  
• Wait until the Status box shows "Scan Finished"
  
• Click on Report and copy/paste the content of the Notepad into your next reply.
  
• The log should be found in RKreport[1].txt on your Desktop

[kosmic94]

RogueKiller V7.3.2 [03/20/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version

Started in : Normal mode

User: Flood [Admin rights]

Mode: Scan -- Date: 03/29/2012 19:41:00

¤¤¤ Bad processes: 3 ¤¤¤

[sUSP PATH] ChiFuncExt.exe -- C:\Windows\ChiFuncExt.exe -> KILLED [TermProc]

[sUSP PATH] CNYHKey.exe -- C:\Windows\CNYHKey.exe -> KILLED [TermProc]

[sUSP PATH] ModLEDKey.exe -- C:\Windows\ModLedKey.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 2 ¤¤¤

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD6400AAKS-22A7B2 ATA Device +++++

--- User ---

[MBR] 4f7d41f34f33dd16cebf6f24dcb24be0

[bSP] 07a876173e57f344a5cfd45c3cad0390 : Acer tatooed MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 63 | Size: 10001 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20484096 | Size: 600477 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

-kosmic94

[Maurice Naggar]

Let's follow-up with a fix with RogueKiller

• Disable your anti-virus program, How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  
• Right-Click RogueKiller and select Run as Administrator.
  
• Wait until Prescan finishes.
  
• On the RogueKiller console, click the Registry tab.
  
• Then press the Delete button.
  
• Next, click the DNS tab if & only if it shows & is enabled {otherwise, skip}, and then click on the DNS Fix button
  
• When done, logoff & Restart the system.
  
• The log will be found as RKreport
  Copy & Paste the contents into next reply.
  

Step 2

Please download Listparts64

Run the tool, click Scan and post the log (Result.txt) it makes.

Step 3

Re-enable your antivirus.

You already have the DDS utility. I need a fresh report from it.

Re-run DDS

In your next reply, Copy & Paste RKReport

Result.txt

DDS.txt

Also, tell me if you have a hardware router, between your system & the incoming internet-connection modem.

If so, tell me the make & model of the router.

You need to attempt to reset the router.

First, disconnect the pc from internet. Disconnect the connections to the router.

Power off the router.

Wait for about a minute.

Power up the router.

Reconnect connections to the router.

Reconnect your pc.

Later on, it may be necessary to hardware-reset the router.

[kosmic94]

RogueKiller Log is first, then Listparts64 log. DDS.txt and Attach.txt are attachments.

By "router" do you mean a device for WiFi? If so, no. I have an ethernet cable which runs from my computer to a device which has a cable (like a TV cable) running to the wall. I presume this is a modem. However, I followed what you said - disconnected the computer from the modem, then the cable to the wall, then the power cord, then reverse order. The modem is of the brand "Scientific Atlanta," and the model number appears to be DPC2100R2.

RKiller log:

RogueKiller V7.3.2 [03/20/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo...13-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version

Started in : Normal mode

User: Flood [Admin rights]

Mode: Remove -- Date: 03/30/2012 18:00:29

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD6400AAKS-22A7B2 ATA Device +++++

--- User ---

[MBR] 4f7d41f34f33dd16cebf6f24dcb24be0

[bSP] 07a876173e57f344a5cfd45c3cad0390 : Acer tatooed MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 63 | Size: 10001 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20484096 | Size: 600477 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[3].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

Listparts64 log:

ListParts by Farbar Version: 12-03-2012 03

Ran by Flood (administrator) on 30-03-2012 at 18:07:03

Windows Vista (X64)

Running From: C:\Users\Flood\Desktop

Language: 0409

************************************************************

========================= Memory info ======================

Percentage of memory in use: 37%

Total physical RAM: 3838.27 MB

Available physical RAM: 2417.34 MB

Total Pagefile: 7863.03 MB

Available Pagefile: 6177.19 MB

Total Virtual: 8192 MB

Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:586.4 GB) (Free:227.6 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]

2 Drive d: (EForceXP) (CDROM) (Total:0.3 GB) (Free:0 GB) CDFS

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 596 GB 0 B

Disk 1 No Media 0 B 0 B

Disk 2 No Media 0 B 0 B

Disk 3 No Media 0 B 0 B

Disk 4 No Media 0 B 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 10 GB 32 KB

Partition 2 Primary 586 GB 10 GB

======================================================================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C OS NTFS Partition 586 GB Healthy System (partition with boot components)

======================================================================================================

****** End Of Log ******

-kosmic94

DDS(1).txt

Attach(1).txt

[Maurice Naggar]

The Listparts report is good.

RogueKiller did a good run.

Be sure your Avast antivirus is On.

Download >> Farbar's Service Scanner utility << and Save to your Desktop.

If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Admisnitrator.

If using XP, double-click to start.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are checkmarked:

• Internet Services
  
• Windows firewall
  
• System Restore
  
• Security Center
  
• Windows Update

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Copy & Paste contents of FSS.txt into your reply.

IF a search redirect is happening, I will need al details as to how & with which browser is it happening, Internet Explorer, or Firefox, or Chrome or ??

ASlo, if you are clicking on ad-links ?

[kosmic94]

In fact, I just had a re-direct happen on a link, and I went back and clicked again, and it went through. I use Firefox. I have only had it happen on Google, although I don't use any other search engine really (I tried a Yahoo search once but that wouldn't be enough for a thorough test). Always I get redirected to a site with some looooong URL and there is an SQL error message that displays.

Ad links? I generally never click on ads, no.

FSS log:

Farbar Service Scanner Version: 01-03-2012

Ran by Flood (administrator) on 30-03-2012 at 18:55:35

Running from "C:\Users\Flood\Desktop"

Microsoft® Windows Vista™ Home Premium Service Pack 2 (X64)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

Windows Update:

============

File Check:

========

C:\Windows\System32\nsisvc.dll

[2008-01-20 22:49] - [2008-01-20 22:49] - 0024576 ____A (Microsoft Corporation) ACB62BAA1C319B17752553DF3026EEEB

C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit

C:\Windows\System32\dhcpcsvc.dll

[2009-06-22 01:10] - [2009-04-11 03:11] - 0268288 ____A (Microsoft Corporation) 3ED0321127CE70ACDAABBF77E157C2A7

C:\Windows\System32\drivers\afd.sys => MD5 is legit

C:\Windows\System32\drivers\tdx.sys => MD5 is legit

C:\Windows\System32\Drivers\tcpip.sys

[2011-08-21 19:32] - [2011-06-17 16:14] - 1427344 ____A (Microsoft Corporation) 4DAD14118FBCF7C609F2A4CE21FBCC5F

C:\Windows\System32\dnsrslvr.dll

[2011-07-14 13:34] - [2011-03-02 12:12] - 0117760 ____A (Microsoft Corporation) 06230F1B721494A6DF8D47FD395BB1B0

C:\Windows\System32\mpssvc.dll

[2009-06-22 01:11] - [2009-04-11 03:11] - 0603136 ____A (Microsoft Corporation) 897E3BAF68BA406A61682AE39C83900C

C:\Windows\System32\bfe.dll

[2009-06-22 01:10] - [2009-04-11 03:11] - 0458240 ____A (Microsoft Corporation) FFB96C2589FFA60473EAD78B39FBDE29

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit

C:\Windows\System32\SDRSVC.dll

[2008-01-20 22:47] - [2008-01-20 22:47] - 0128000 ____A (Microsoft Corporation) 4FF71B076A7760FE75EA5AE2D0EE0018

C:\Windows\System32\vssvc.exe

[2009-06-22 01:11] - [2009-04-11 03:11] - 1433600 ____A (Microsoft Corporation) B75232DAD33BFD95BF6F0A3E6BFF51E1

C:\Windows\System32\wscsvc.dll

[2009-06-22 01:10] - [2009-04-11 03:11] - 0074752 ____A (Microsoft Corporation) 9EA3E6D0EF7A5C2B9181961052A4B01A

C:\Windows\System32\wbem\WMIsvc.dll

[2009-06-22 01:10] - [2009-04-11 03:11] - 0221696 ____A (Microsoft Corporation) D2E7296ED1BD26D8DB2799770C077A02

C:\Windows\System32\wuaueng.dll

[2009-10-02 12:40] - [2009-08-06 22:24] - 2424024 ____A (Microsoft Corporation) FB3796754FE00F0BDC87A36F164A5F4D

C:\Windows\System32\qmgr.dll

[2009-06-22 01:11] - [2009-04-11 03:11] - 1081856 ____A (Microsoft Corporation) 6D316F4859634071CC25C4FD4589AD2C

C:\Windows\System32\es.dll

[2009-06-22 01:11] - [2009-04-11 03:11] - 0361984 ____A (Microsoft Corporation) E12F22B73F153DECE721CD45EC05B4AF

C:\Windows\System32\cryptsvc.dll

[2009-06-22 01:10] - [2009-04-11 03:11] - 0166912 ____A (Microsoft Corporation) 18918613E63F387CDE4D95CA7D49DCF7

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\rpcss.dll

[2009-06-22 01:11] - [2009-04-11 03:11] - 0719872 ____A (Microsoft Corporation) CF8B9A3A5E7DC57724A89D0C3E8CF9EF

**** End of log ****

-kosmic94

[Maurice Naggar]

Allright, then, I'd recommend you remove Firefox, and get a new setup of Firefox.

De-install Firefox.

Logoff and reboot system.

Using Internet Explorer, go to www.mozilla.org

Download and SAVE firefox

Close Internet Explorer. and then apply the setup of Firefox.

When completed, logoff and restart the system fresh.

[kosmic94]

Done. First time I installed with the "Run" button and ran Firefox before restarting the second time, so I went back, uninstalled again, and saved the downloader to the desktop, ran as admin, restarted afterward before running Firefox. Tested a couple searches; no redirects yet, but that doesn't mean anything. Also, I didn't uninstall the personal settings and customizations, so I wouldn't lose everything, if that matters.

I mostly get redirected to "GimmieAnswers," and if you search that on Google, it's apparently a well-known virus, but I was directed to some other site, like "hapili," or something, once (it started with an H but I don't think that was the exact name).

My ma, who uses Internet Explorer, says it's possible she has also been redirected in this manner, but she doesn't remember for sure. As I don't use IE, I don't know.

-kosmic94

[Maurice Naggar]

What you call a virus may not be a "virus". By that I mean, if you guys are initially getting to Google site ok (or even another search engine like Bing), you cannot & must not think that any one "result" or link is "safe" !!!!!

Do not be quick to click. Don't click on any link before "studying" what site it is on. Ask yourself, can I reasonably be safe on that site?

Seeing a search result on a search engine does NOT mean that the link is safe.

I am convinced that there's nothing left here that is a hijacker.

I am going to suggest 2 scans. And after that, it is high time to end this chase.

Step 1

Temporarily disable your antivirus.

Next, get/save to the Desktop / and then run the MS Safety scanner

http://www.microsoft.com/security/scanner/en-us/default.aspx

Step 2

Next, do another scan.

Perform this online scan: F-Secure Online Scanner

The online scanner is on the bottom right of the page.

Follow the directions in the F-Secure page for proper Installation.

You may receive an alert on the address bar at this point to install the ActiveX control.

Click on that alert and then click "Install ActiveX component".

Read the license agreement and click "Accept".

Click "Custom Scan" and be sure the following are checked:

• Scan whole System
  
• Scan all files
  
• Scan whole system for rootkits
  
• Scan whole system for spyware
  
• Use advanced heuristics

When the scan completes, click the "I want to decide item by item" button.

For each item found, Select "Disinfect" and click "Next".

When done, click the "Show Report" button, then copy and paste the entire report into your next reply.

Step 3

Save and close any work documents, close any apps that you started.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 4

Post the results.

Re-enable your antivirus.

[kosmic94]

First scan removed several oddities, but the most interesting were a Javascript exploit and a Win32/backdoor.

Second scan found nothing; I don't see the report; I thought it saved a text file, but, I don't see it.

Third scan also found nothing it didn't find before. Not worth posting the same report all over again.

I am still getting redirected Google searches to GimmieAnswers and Happili and some other dumb site. It happens at random and if I go back to Google I can click the same link and it will go through.

-kosmic94

[Maurice Naggar]

I need the MBAM scan log from the last run. Post a copy so that I can review.

Be very, very specific as to which browser you used when Googling?

What the search term is? and what the site should be that you were after?

Why the need to use Google?

Step 1

Visit this page and apply more security to Firefox http://ubuntuforums.org/showthread.php?t=671604

Step 2

Download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  
• IF prompted to Reboot, reply "Yes".

Step 3

download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

• Ensure all Firefox windows are closed.
  
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  
• When prompted to run the scan, click Yes.
  
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Step 4

Get and run the Windows Defender Offline tool. It is a tool that runs off a boot-USB-drive or a boot-CD that you prepare from it.

The tool will scan for malware on the system.

The frequently asked questions section is at

http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline

http://windows.microsoft.com/en-US/windows/windows-defender-offline-faq

Edited April 3, 2012 by Maurice Naggar

[Maurice Naggar]

Please advise on the current status of this system. It has been several days since my last reply.

[kosmic94]

I did the second and third things. Can't do the last anyway as I have no boot equipment.

GooredFix by jpshortstuff (03.07.10.1)

Log created at 14:58 on 15/04/2012 (Flood)

Firefox version 11.0 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\

{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [21:29 27/09/2011]

{972ce4c6-7e08-4474-a285-3208198ce6fd} [17:47 31/03/2012]

C:\Users\Flood\Application Data\Mozilla\Firefox\Profiles\360vmvb8.default\extensions\

battlefieldheroespatcher@ea.com [21:22 30/08/2011]

battlefieldplay4free@ea.com [01:23 24/08/2011]

foxyproxy@eric.h.jung [02:49 17/03/2012]

gcyvknqexv@gcyvknqexv.org [22:01 22/03/2012]

{20a82645-c095-46ed-80e3-08825760534b} [03:56 10/05/2010]

{455D905A-D37C-4643-A9E2-F6FEFAA0424A} [06:46 29/12/2011]

{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a} [16:20 15/05/2011]

{9051303c-7e41-4311-a783-d6fe5ef2832d} [04:44 02/04/2012]

{9c51bd27-6ed8-4000-a2bf-36cb95c0c947} [18:19 12/02/2010]

{ACAA314B-EEBA-48e4-AD47-84E31C44796C} [02:27 25/06/2011]

{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [20:10 29/03/2012]

{bb6bc1bb-f824-4702-90cd-35e2fb24f25d} [00:04 27/04/2011]

{c45c406e-ab73-11d8-be73-000a95be3b12} [00:39 07/01/2011]

{e968fc70-8f95-4ab9-9e79-304de2a71ee1} [00:39 07/01/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [20:42 18/06/2009]

"{23fcfd51-4958-4f00-80a3-ae97e717ed8b}"="C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\html5video" [22:41 30/12/2010]

"{6904342A-8307-11DF-A508-4AE2DFD72085}"="C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\wpa" [22:41 30/12/2010]

"wrc@avast.com"="C:\Program Files\Alwil Software\Avast5\WebRep\FF" [00:13 06/03/2011]

-=E.O.F=-

I'm using Google because I have to. Nothing's been compromised yet, just the redirects, and I doubt this is going to go anywhere.

-kosmic94

[Maurice Naggar]

If your pc can boot from a USB-drive, you only need a small USB-flash drive (one that can hold 250 MB is sufficient) for the Windows Defender Offline Beta

See http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline

If your pc cannot boot from a USB drive, then get a CD and build the Windows Defender onto it; set your pc to boot from CD and scan it.

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!