Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

google redirect?

Started by phon , Mar 15 2011 07:42 PM

This topic is locked

#31
phon

Posted 30 March 2011 - 09:20 PM

Member

Topic Starter
Member
23 posts

Hi

Here are the log files

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6219

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

3/31/2011 8:13:31 AM
mbam-log-2011-03-31 (08-13-31).txt

Scan type: Quick scan
Objects scanned: 172359
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\config\systemprofile\AppData\Roaming\02000000b03cb5a21189c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\02000000b03cb5a21189o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\02000000b03cb5a21189p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\02000000b03cb5a21189s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000b03cb5a21189c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000b03cb5a21189o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000b03cb5a21189p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000b03cb5a21189s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=543164e447f50e4480a0fc03c836efa5
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-03-31 03:08:54
# local_time=2011-03-31 04:08:54 (+1200, New Zealand Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3073 16777213 80 89 37334811 45193889 0 0
# compatibility_mode=5892 16776573 100 100 110081 138229298 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=184618
# found=6
# cleaned=0
# scan_time=5538
C:\Users\Scott\AppData\Local\Google\Chrome\User Data\Backup Default\Default\bmealgncnhbeddfiknifiidlbknagegi\contentscript.js Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Scott\Desktop\Rhino3D\rh40sr_en_20090226\patch.exe probably a variant of Win32/HackTool.Patcher.A application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Scott\Downloads\GooredFix Backups\C\Users\Scott\Application Data\Mozilla\Firefox\Profiles\4ut75wxc.default\extensions\{e432fb69-51f3-4fe5-9bd5-99b1a02ef78e}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Scott\Downloads\GooredFix Backups\C\Users\Scott\Application Data\Mozilla\Firefox\Profiles\4ut75wxc.default\extensions\{e432fb69-51f3-4fe5-9bd5-99b1a02ef78e}\chrome\xulcache.jar JS/Agent.NCP trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Scott\Downloads\GooredFix Backups\C\Users\Scott\Application Data\Mozilla\Firefox\Profiles\i6moj8ic.default\extensions\{e432fb69-51f3-4fe5-9bd5-99b1a02ef78e}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Scott\Downloads\GooredFix Backups\C\Users\Scott\Application Data\Mozilla\Firefox\Profiles\i6moj8ic.default\extensions\{e432fb69-51f3-4fe5-9bd5-99b1a02ef78e}\chrome\xulcache.jar JS/Agent.NCP trojan (unable to clean) 00000000000000000000000000000000 I

#32
phon

Posted 31 March 2011 - 03:13 AM

Member

Topic Starter
Member
23 posts

Hi Blottedisk

I am going to be away for 4 days from tomorrow so will be offline until i get back.

Thanks
phon

#33
Blottedisk

Posted 31 March 2011 - 11:13 AM

Trusted Helper

Malware Removal
124 posts

Hi phon,

Thanks for telling us

When you come back, please do the following:

Run OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

:OTL

:Files
C:\Users\Scott\AppData\Local\Google\Chrome\User Data\Backup Default
C:\Users\Scott\Desktop\Rhino3D\rh40sr_en_20090226\

:Commands
[purity]
[EmptyFlash]
[emptytemp]

Then click the Run Fix button at the top.
Let the program run unhindered, reboot when it is done.
It will produce a log for you on reboot, please post that log in your next reply.

#34
phon

Posted 04 April 2011 - 11:32 PM

Member

Topic Starter
Member
23 posts

Hi Blottedisk

All processes killed
========== OTL ==========
========== FILES ==========
C:\Users\Scott\AppData\Local\Google\Chrome\User Data\Backup Default\User StyleSheets folder moved successfully.
C:\Users\Scott\AppData\Local\Google\Chrome\User Data\Backup Default\Sync Data folder moved successfully.
C:\Users\Scott\AppData\Local\Google\Chrome\User Data\Backup Default\Plugin Data\Google Gears folder moved successfully.
C:\Users\Scott\AppData\Local\Google\Chrome\User Data\Backup Default\Plugin Data folder moved successfully.
C:\Users\Scott\AppData\Local\Google\Chrome\User Data\Backup Default\Media Cache folder moved successfully.
C:\Users\Scott\AppData\Local\Google\Chrome\User Data\Backup Default\Local Storage folder moved successfully.
C:\Users\Scott\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\fhflopcljabdklmedgglmkihdnongdaa\1.0_1\i folder moved successfully.
C:\Users\Scott\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\fhflopcljabdklmedgglmkihdnongdaa\1.0_1 folder moved successfully.
C:\Users\Scott\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\fhflopcljabdklmedgglmkihdnongdaa folder moved successfully.
C:\Users\Scott\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions folder moved successfully.
C:\Users\Scott\AppData\Local\Google\Chrome\User Data\Backup Default\Default\bmealgncnhbeddfiknifiidlbknagegi folder moved successfully.
C:\Users\Scott\AppData\Local\Google\Chrome\User Data\Backup Default\Default folder moved successfully.
C:\Users\Scott\AppData\Local\Google\Chrome\User Data\Backup Default\databases folder moved successfully.
C:\Users\Scott\AppData\Local\Google\Chrome\User Data\Backup Default\Cached Theme Images folder moved successfully.
C:\Users\Scott\AppData\Local\Google\Chrome\User Data\Backup Default\Cache folder moved successfully.
C:\Users\Scott\AppData\Local\Google\Chrome\User Data\Backup Default folder moved successfully.
C:\Users\Scott\Desktop\Rhino3D\rh40sr_en_20090226 folder moved successfully.
========== COMMANDS ==========

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

User: Scott
->Flash cache emptied: 1364 bytes

Total Flash Files Cleaned = 0.00 mb

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Scott
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 839368 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 101377281 bytes
->Google Chrome cache emptied: 9279088 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3206 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 1722 bytes

Total Files Cleaned = 106.00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 04052011_172715

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

#35
Blottedisk

Posted 05 April 2011 - 11:01 AM

Trusted Helper

Malware Removal
124 posts

Hi phon,

Congratulations, we are done.

Please follow this last procedure:

Step 1 | Delete ComboFix and Clean Up

The following will implement some cleanup procedures as well as reset System Restore points. Click Start > Run and copy/paste the following underlined text into the Run box and click OK:

ComboFix /Uninstall

Please advise if this step is missed for any reason as it performs some important actions.

Step 2 | Clean up with OTL

Double-click OTL.exe to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the CLEANUP button
Say Yes to the prompt and then allow the program to reboot your computer.
Now, from the desktop, delete any logs that you have left over.

Step 3 | Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

Download the latest version of Adobe Reader Version X. and save it to your desktop.
Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered.
Click the download button at the bottom.
If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
If you are unsure of how to use Add or Remove Programs, the please see this tutorial: How To Remove An Installed Program From Your Computer
Then from your desktop double-click on Adobe Reader to install the newest version.
If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
When the "Adobe Setup - Welcome" window opens, click the Install > button.
If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
Once the installation is finished, open Adobe Reader and accept the warranty if prompted.
Click on Help and select Check for Updates.
A window will open and Adobe will check for Updates. If any updates are found to be available click on Download.
Once the update is downloaded you will get a system notification telling you so. Click on the popup to restore the window.
In the window that opens click Install.
Once the update is done click Close.
Your Adobe Reader is updated now.

Last Step | Now, in order to avoid future infections, please take time to read the following article:

How did I get infected in the first place?

Thank you for your patience, and performing all of the procedures requested. I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed

#36
phon

Posted 05 April 2011 - 11:56 PM

Member

Topic Starter
Member
23 posts

Hi

Thank you so much. You have been amazing!

I couldn't uninstall combofix. Windows couldn't find combofix

#37
Blottedisk

Posted 06 April 2011 - 10:30 AM

Trusted Helper

Malware Removal
124 posts

Hi phon,

Have you manually removed Combofix? Is it still on your machine?

Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

Download SysRestorePoint to your desktop and unzip it to it's own folder.
Double click SysRestorePoint.exe so that we can make a new system restore point.
A box will pop up after it has made a new point, usually after a few seconds. Close that window and exit the program.

#38
phon

Posted 07 April 2011 - 02:08 PM

Member

Topic Starter
Member
23 posts

Hi Blottedisk

I Haven't knowingly removed combofix manually but can find no trace of it.

am i able to restore my chrome settings or should i delete that file?

Thank you so very much for sticking with me for this long.

phon

#39
Blottedisk

Posted 07 April 2011 - 08:45 PM

Trusted Helper

Malware Removal
124 posts

Hi Phon,

Please download the following file and save it to your desktop: CF_UNINST.EXE
Right Click it and choose "Run as Administrator". This will uninstall Combofix as well as perform some other important tasks.

Then you can continue with the other steps.

#40
phon

Posted 08 April 2011 - 12:38 AM

Member

Topic Starter
Member
23 posts

Hi Blottedisk

All done thanks.

phon

#41
Blottedisk

Posted 08 April 2011 - 06:45 AM

Trusted Helper

Malware Removal
124 posts

Since this issue appears to be resolved, this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please read the Malware and Spyware Cleaning Guide and then begin a New Topic.