infectedturtle

Windows 7x64 Redirect Hijack Chrome,FF,IE

37 posts in this topic

All processes killed

========== OTL ==========

C:\Users\Lucas\AppData\Local\458ffeq4p6hr700641u moved successfully.

ADS C:\ProgramData\Microsoft:ao1VlNx8YbGrn9Wv1Onms6MKZd deleted successfully.

ADS C:\ProgramData\Microsoft:wXz4oHAJVT4QGLZeJNjw8iHdTa deleted successfully.

========== COMMANDS ==========

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Lucas

->Java cache emptied: 1494674 bytes

User: Public

Total Java Files Cleaned = 1.00 mb

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 56475 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Lucas

->Temp folder emptied: 56861689 bytes

->Temporary Internet Files folder emptied: 62597174 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 326331337 bytes

->Google Chrome cache emptied: 314060122 bytes

->Flash cache emptied: 59054 bytes

User: Public

->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 56659301 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67563 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 779.00 mb

OTL by OldTimer - Version 3.2.42.3 log created on 05102012_203231

Files\Folders moved on Reboot...

C:\Users\Lucas\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

Share this post


Link to post
Share on other sites

Is there any difference??

Are you using a router??

---------------------------------------

Please do this:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Files
    C:\Users\Lucas\AppData\Roaming\.minecraft\.minecraft\sqduxv.dll
    C:\Users\Lucas\AppData\Roaming\.minecraft\.minecraft\ulbzyvwiq.dll


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

-------------------------------

Reboot and .......

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how it is, MrC

Share this post


Link to post
Share on other sites

Hello, there is no difference, I am still getting the redirects. Yes I am behind a router, no open ports DD-WRT. Do I need to worry about my passwords? I am considering just wiping the drive and starting over, but I wish I didn't have to. I will run your suggestions and report back.

Share this post


Link to post
Share on other sites

========== FILES ==========

File\Folder C:\Users\Lucas\AppData\Roaming\.minecraft\.minecraft\sqduxv.dll not found.

File\Folder C:\Users\Lucas\AppData\Roaming\.minecraft\.minecraft\ulbzyvwiq.dll not found.

OTL by OldTimer - Version 3.2.42.3 log created on 05112012_101642

Share this post


Link to post
Share on other sites

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.05.11.01

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Lucas :: DEATHWING [administrator]

5/11/2012 10:17:54 AM

mbam-log-2012-05-11 (10-17-54).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 203021

Time elapsed: 2 minute(s), 10 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Share this post


Link to post
Share on other sites

Let reset the router:

Shut down the computer and reset the router:

http://www.online-te...fault-settings/

There should be a reset button that you push or hole that you stick a pin to reset the router (usually 10 seconds)

It's usually located on the back of the router, check your owners manual.

If you can't find one, just disconnect the power from the router for about a minute, then reconnect it, let it reset then turn the computer back on and see how it is.

------------------------------------

Then download, unzip and run flush.bat:

http://forums.malwar...attach_id=77835

Let me know, MrC

Share this post


Link to post
Share on other sites

I am afraid there isn't anything wrong with the Router. None of the other computers in the house have the same symptoms. This isn't a DNS thing because if you try to go to the link again, it will work correctly. It is only the first attempt which redirects. My HOSTS file is also healthy.

Share this post


Link to post
Share on other sites

I went ahead and didn't hard reset my router because I do not want to re-setup all of the intricate things I've done (DD-WRT). I also inspected the .bat file because I do not run scripts without knowing what they do and I have already done the things it was slated to do. No effect.

Finally I deleted my user profiles for Chrome and Firefox and we will see if it keeps doing it. I don't ever run IE so that wouldn't have anything to do with the equation.

Share this post


Link to post
Share on other sites

Deleting the profiles from Firefox and Chrome and re-syncing from their servers ended up getting rid of the problem. Thanks for your help. Do you believe I should worry about the security of my passwords?

Share this post


Link to post
Share on other sites

Passwords.....I would certainly keep an eye on the accounts, at best change all the passwords.

A little cleanup to do.

Please Uninstall ComboFix:

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

---------------------------------

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

-------------------------------

You have out date Java on the system, older versions are vulnerable to malware.

Go to your control panels add/remove programs and uninstall all the Java listed and

Then download and install the latest version Java™ 7 Update 4.

http://www.java.com/...load/manual.jsp <---latest version

http://www.java.com/...d/installed.jsp <---verify your Java

-----------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Share this post


Link to post
Share on other sites

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.