Am i infected?

[Dscheksn]

Hey Community,

i just found 3 false/positive...maybe...still dont have an answer from SuperAntivirusSpyware...after 2 hours of scanning my PC.

I stoped the scan because he kept scanning and scanning because i choosed to scan every single file not only .exe and .com and all files bigger than 4.MB.

So i ask myself how can i find out if i am infected with anycind of virus?
Can u help me? I did a Hyjackthis scan but dont understand it.

What Programs do u for example use??
Maybe somebody also has time explaining what he sees in logs and how he react =)

Greets
Dscheksn

 

[Fiery]

Hi and welcome to MalwareTips!

Are you worried that you are infected? What are the 3 detections that the showed? I can check if you are infected or not if you want.

There are many tools to diagnose an infection but for the average user, scanning your PC with multiple programs is the best way. HijackThis is a very advance, technical, and outdated software, it is not used anymore.

Fiery

 

[Exterminator]

Have you tried scanning your PC with Malwarebytes Antimalware free ?

Download MBAM Free

Also you can try Hitmnan PRO which offers Unlimited free scanning and free 30-day version to remove detected malware

Download Hitman Pro 3.7

Try these,which are both great on demand scanners to have on hand,and like Fiery said post the detections.Then someone here can guide you on whether these are true FP's or they need to be removed

 

[Dscheksn]

"I can check if you are infected or not if you want." It would be really nice =) Pls do so. What do i have to use/run? =)

I became fanatic to become a clean system for some weeks now and checked my system with.

ZoneAlarm Antivir + Firewall: Running activly
SuperAntiSpyware: Running activly (Is this bad? because people say to not run 2 Antivirus but this isnt a Antivirus or am i wrong?)
Spybot Search & Destroy:
ESET Online Scanner:
Sophos Virus Removal Tool:
Malwyre Antirootkit Tool: I think its Beta

I used so many tools because people in Forums say that there is no Antivir that finds all 100% because every AntiVir has his own way to detect stuff.

After reading a AntivirusTest of 2013 on a German Homepage http://www.chip.de/artikel/Beste-Sicherheitssoftware-im-Test-Dezember-2012_59880137.html they wrote that "Zone Alarm Antivirus + Firewall" is the best Freeware out there. Would u say they are right?

What tools to you use to secure your system?

Here some logs:
(1) Hijackthis
[attachment=3421]

(2)SuperAntiSpyware: this one has the possible Falsepositive.
[attachment=3420]

(3)mbar Kept this log because it found so much stuff...
[attachment=3419]

Thank you very much for your help =)

 

[Fiery]

I use Comodo Internet Security because of its host intrusion prevention system. However, it is difficult to use for a novice user. I recommend:

• avast! 7 Home Edition - Don't use it with Online Armor
• Avira AntiVir Personal
• BitDefender Antivirus Free Edition

In addition to your antivirus, you need additional protection such as a firewall and behavioural blocker.

• Online Armor
• Comodo Firewall - If you are an advance user
• ZoneAlarm Free Firewall
• PC Tool Firewall Plus

---

As for your system, you seem to have some adware installed. Let's clean some up.

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
• Click delete
• Please post the content of that logfile with your next reply.
• You can find the logfile at C:\AdwCleaner[S1].txt

---

Download OTL by Old Timer from here and save it to your Desktop.

• Double click on OTL.exe to run it.
• Click the Scan All Users checkbox.
• Change Standard Registry to All
• Check the boxes beside LOP Check and Purity Check
• Click on Run Scan at the top left hand corner.
• When done, two Notepad files will open.
  • OTListIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Please attach the contents of these 2 Notepad files in your next reply.

 

[Ramblin]

Dscheksn, your computer is infected with Funmoods.Your HJT log shows this entry:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1Qzu0E0E0A0FyBz z0C0EyB0AtC0FtCzzyCzytN0D0Tzu0CtByCyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=2142336098

Malwarebytes shows a bunch of it also, if it was me who was infected, this is what I would do:

Let MBAR quarantine anything with the name Funmoods, after a reboot run MBAR again. After the second MBAR scan, see if HJT still shows the Funmoods entry, if it does, I would get it fix.

Thats a start, I think.

Bo

 

[Dscheksn]

First of all thank your very much for your help.
I hope i can learn something by using this steps.

So here are the requested files.
Sorry for my bad language i am german =)

Here the AdcCleaner S1 file. I attached the AdcCleaner R1 file as well.
[attachment=3454]
It´s sad that it found something after all my scans with all that Antivirstuff.
Good that it deleted all that things.

Here the OTL and Extras Files.
[attachment=3456]
[attachment=3457]

There is also a dds file attached because i cant delete it from attachments...Short story to that file.

I am in contact with Malwarebytes Support as well because i am unable to install their latest Antivirustool. He wanted me to run DDS.
---------------------------------------------------------------------------------------------------------------------------------------------
Update 08.02.2013-10:58 a.m.

I am using Google Chrome and noticed to have a new startuppage. www.22apple.com. I googled it and it seems to be malious.
Here is what i did so far.

I changed my Startup page manually to www.ixquick.com in configuration. It still appears =(
All this Scans, waste of time, still infected its unbelieveable.
---------------------------------------------------------------------------------------------------------------------------------------------
New Update 08.02.2013-12:54 p.m.

After doing more research i did read all of his Tutorials (https://www.techsupportalert.com/content/how-know-if-your-computer-infected.htm#Use-Comodo-Autoruns) and tried to uninstall Delta-Toolbar.
Suddenly my ZoneAlarm Firewall went crazy and blocked everything of a programm called "${PRDCT_DSP}".
It wanted to open everything! Like a rat that was trapped haha.
The trace is C:/User/appdata/local/temp/Delta/delta/1.8.10.0/delta4ie.exe (even a hidden folder-.-)
Is there a option to report this file? -.- Holy crap it deleted itself. Cant find the folder by manually typing the path.

The Problem with the startup page still exists

Greets
Dscheksn

 

[Fiery]

Hi, there are still some stuff left to remove. The fix should solve the 22apple redirect. By the way, does "Ordner Gefunden" or "Schlüssel Gefunden" mean deleted?

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1Qzu0E0E0A0FyBzz0C0EyB0AtC0FtCzzyCzytN0D0Tzu0CtByCyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=2142336098
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.22apple.com/newtab?utm_source=b&ch=sof&uid=ST9500325AS_5VELLHF4XXXX5VELLHF4&reg=1360097647
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.22apple.com/newtab?utm_source=b&ch=sof&uid=ST9500325AS_5VELLHF4XXXX5VELLHF4&reg=1360097647
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1Qzu0E0E0A0FyBzz0C0EyB0AtC0FtCzzyCzytN0D0Tzu0CtByCyDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=2142336098
IE - HKU\S-1-5-21-118730695-2930708135-923205674-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.22apple.com/newtab?utm_source=b&ch=sof&uid=ST9500325AS_5VELLHF4XXXX5VELLHF4&reg=1360097647
IE - HKU\S-1-5-21-118730695-2930708135-923205674-1000\..\SearchScopes\{5FF5AA2F-45A2-4535-A104-60A80566F195}: "URL" = http://start.funmoods.com/results.php?f=4&a=grupo&q={searchTerms}
IE - HKU\S-1-5-21-118730695-2930708135-923205674-1000\..\SearchScopes\{617E16C8-DB03-30C6-0A58-5311063E2913}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=110000&tt=120912_pcp_3812_4&babsrc=SP_ss&mntrId=364c1869000000000000eeaf78ce7a1f
CHR - Extension: Delta Toolbar = C:\Users\Ricardo Quintana\AppData\Local\Google\Chrome\User Data\Default\Extensions\eooncjejnppfjjklapaamhcdmjbilmde\1.0_0\
CHR - Extension: 22Apple = C:\Users\Ricardo Quintana\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijblflkdjdopkpdgllkmlbgcffjbnfda\2.0.1_0\
O2 - BHO: (delta Helper Object) - {C1AF5FA5-852C-4C90-812E-A7F75E011D87} - C:\Program Files (x86)\Delta\delta\1.8.10.0\bh\delta.dll (Delta-search.com)

:Files
C:\Program Files (x86)\Delta
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
[RESETHOSTS]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

---

Also do you recognize this IP: 200.49.130.41 200.42.4.204?

and lastly,

Upload a File to Virustotal
Please visit Virustotal.com

• Click the Browse... button
• Navigate to the file C:\Windows\SysNative\sstate_prev.sdt
• Click the Open button
• Click the Send button
• Copy and paste the results back here please.

 

[Dscheksn]

(1) The fix didnt remove that 22apple redirect.
Update 08.02.2013-3:38 p.m
I kept on searching and found this.
- Brought Google Chrome icon to desktop
- rightclicked it
- properties - direct acces - destination
""C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" http://www.22apple.com/?utm_source=b&ch=sof&uid=ST9500325AS_5VELLHF4XXXX5VELLHF4&reg=1360097647&type=lnk"
- I deleted the part after \chrome.exe" -> Problem still exists

(2) "Ordner Gefunden" or "Schlüssel Gefunden" means Folder found or Key
found.
(3) I dont know IP: 200.49.130.41 200.42.4.204
I went to www.wieistmeineip.de and my IP starts with 186.---
Do i have to be scared about that IP?
(4) I uploaded the file and it says 0/46.

Here is the requested file.
[attachment=3466]

I also have two new folders now "OTL" and inside there "Moved files".
What about this?

I still have a question. Would you say that running SuperAntiSpyware together with my Zone Alarm (Antivir + Firewall) is bad or no problem?
Greetings
Dscheksn

 

[Fiery]

Oh that makes sense. Can you open adwcleaner and click delete. Let me know if the redirect is still happening. The OTL folders have the files/ entries we just deleted, that is normal.

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 200.49.130.41 200.42.4.204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D1556083-5D36-4C5D-83C3-E0CA213BF15F}: DhcpNameServer = 200.49.130.41 200.42.4.204

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

---

Download & SAVE to your Desktop RogueKiller or from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select Run as Administrator to start
• Wait until Prescan has finished, then click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

 

[Dscheksn]

I just run adwcleaner.

22apple (1) adwcleaner (0). Redirect still exists.

Here is the OTL file.
[attachment=3469]

This is the Report of Roguekiller.
----------------------------------------------------------------------
RogueKiller V8.5.0 [Feb 8 2013] durch Tigzy
mail: tigzyRK<at>gmail<dot>com

mail : tigzyRK<at>gmail<dot>com
Kommentare : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Webseite : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Betriebssystem : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Gestartet in : Normaler Modus
Benutzer : Ricardo Quintana [Admin Rechte]
Funktion : Scannen -- Datum : 02/08/2013 16:01:48
| ARK || FAK || MBR |

¤¤¤ Böswillige Prozesse : 0 ¤¤¤

¤¤¤ Registry-Einträge : 2 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> GEFUNDEN (FOUND)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> GEFUNDEN (FOUND)

¤¤¤ Bestimmte Dateien / Ordner: ¤¤¤

¤¤¤ Treiber : [NICHT GELADEN] ¤¤¤ (NOT LOADED)

¤¤¤ Hosts-Datei: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

ÿþ1

¤¤¤ MBR überprüfen: ¤¤¤

+++++ PhysicalDrive0: ST9500325AS +++++
--- User ---
[MBR] cfc6f8a67ef6700dbb549448ba615a24
[BSP] a91f8cfb2395597704f552341b360552 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 14214 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 29114368 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 29319168 | Size: 462624 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Abgeschlossen : << RKreport[2]_S_02082013_02d1601.txt >>
RKreport[1]_S_02082013_02d1550.txt ; RKreport[2]_S_02082013_02d1601.txt
---------------------------------------------------------------------------------------------------
As you didnt say to delete sth i wait for your confirmation. The things roguekiller found still exist.

 

[Fiery]

No need to delete those entries in RogueKiller. Did adwcleaner produce a log after you click delete? If so, please attach that.

Please download Junkware Removal Tool to your desktop from here

• Turn off your antivirus software now to avoid potential conflicts
• Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
• The tool will open and start scanning your system
• Please be patient as this can take a while to complete depending on your system's specifications
• On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
• Post the contents of JRT.txt into your next reply

---

Then do a fresh OTL scan with just the default settings.

 

[Dscheksn]

Adwcleaner Logfile:[attachment=3472]
Junkware Logfile:[attachment=3473]
OTL Logfile: [attachment=3474]

Thanks for help =)

 

[Fiery]

Which browser are you getting the redirects on?

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
IE - HKLM\..\SearchScopes,Backup.Old.DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes,Backup.Old.DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKCU\..\SearchScopes\{EF068A52-8C39-40D1-A335-759A8038086E}: "URL" = http://services.zinio.com/search?s={searchTerms}&rf=sonyslices
O2 - BHO: (no name) - cardisabled - No CLSID value found.
[2013/02/07 16:09:30 | 000,062,808 | ---- | C] () -- C:\Windows\SysNative\s000000.dat
[2013/02/07 16:04:41 | 000,000,040 | ---- | C] () -- C:\Windows\SysNative\sstate_prev.sdt
[2013/02/07 16:04:41 | 000,000,000 | ---- | C] () -- C:\Windows\SysNative\sstates.sdt

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

---

Download TDSSkiller from here

• Double-Click on TDSSKiller.exe to run the application
• When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
• After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
  
  
• click Start scan .
  
• If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
• If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt

 

[Dscheksn]

Hey Fiery,

i am only using googlechrome and the redirects appear there.
Its still happening. Impossible to change dont know wtf is going on there =(

OTL file:[attachment=3514]

TSSDS file: "You are currently using 549.56 KB of your allocated attachment usage (1MB)"

The file has 595 KB so i cant attach it what can i do?... =(
---------------------------------------------------------------------------------------------------------------------------------------------
I notice that BingBar is beeing installed once and onceagain....
I also see that there are tons of "Windows live mesh" installed" All same version, but many different language. Is that normal?

 

[Fiery]

can you copy and paste the portion last portion of the TDSSkiller log? Just paste it directly in your next reply.

Try reinstalling google chrome and see if that helps.

 

[Dscheksn]

Hey Fiery, yes sure i can.

Filename: TDSSKiller.2.8.15.0_10.02.2013_21.19.05_log.txt

Dont really know what portion is so i will copy you some lines.
----------------------------------------------------------------------
======================================================
21:23:22.0191 5944 Scan finished
======================================================
21:23:22.0207 4488 Detected object count: 2
21:23:22.0207 4488 Actual detected object count: 2
00:13:21.0863 4488 IconMan_R ( UnsignedFile.Multi.Generic ) - skipped by user
00:13:21.0863 4488 IconMan_R ( UnsignedFile.Multi.Generic ) - User select action: Skip
00:13:21.0868 4488 MDM ( UnsignedFile.Multi.Generic ) - skipped by user
00:13:21.0868 4488 MDM ( UnsignedFile.Multi.Generic ) - User select action: Skip
00:13:41.0922 4108 Deinitialize success
-----------------------------------------------------------------------
I read by searching on google from a user that he also had this problem, impossible to remove via Malwarebytes, Comodo and Sophos.
So he used Combofix to resolve that problem because he said its caused by a trojan virus (didnt mention wich)

So my question is? Its not really the best solution to just reinstall google.chrome right? there must be a trojan somewhere. Anyway i will do a Reinstall now after i post this.

Greetings

 

[Fiery]

I'm aware that there may be a trojan on your PC but sometimes redirects doesn't necessarily mean there's one. There may just be a setting in the browser that redirects you. (There was a case here where the user had a search term was altered in the browser's properties and it caused redirects).

OTL and TDSSKiller isn't showing anything, Combofix may do more harm than good in this situation. However, if you insist on running Combofix scan then I will guide you through it. I recommend you backing up any important files before we continue.

Please download ComboFix from one of these locations:

<a title="External link" href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" rel="external"><>Link 1</></a>
<a title="External link" href="http://www.infospyware.net/antimalware/combofix/" rel="external"><>Link 2</></a>

<>* IMPORTANT !!! Save ComboFix to your Desktop as ComboFix.exe</>
<ul>
<li>Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See <a title="External link" href="http://www.bleepingcomputer.com/forums/topic114351.html" rel="external">HERE</a> for help</li>
<li>Double click on Combo-Fix & follow the prompts.</li>
<li>As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's ly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.</li>
<li>Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.</li>
</ul>
**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

<img src="http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif" alt="Posted Image" />
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

<img src="http://img.photobucket.com/albums/v706/ried7/whatnext.png" alt="Posted Image" />
Click on <>Yes</>, to continue scanning for malware.

When finished, ComboFix will produce a log.

<>Note:</>
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

 

[Dscheksn]

Hey Fiery,

the reinstall worked well. ixquick.com is shown now on startup.

As i am here only for vacation in argentina and its my uncle´s pc i dont really want to run combofix. Anyway dont really understand why its so "dangerous" to run it.
After i read an article here and on bleepingcomputer, that it contained a virus i even more dislike it.
- turn of antivirus + antispyware ...made me really laugh when i red it.

If there is another way of finding that sneaky trojan pls tell me.
I downloaded it and its on my desktop so if there is no other way we can go for it =)

greetings

 

[Fiery]

Are you still getting the redirects? The combofix file was only compromised for a few hours. The current version is clean Combofix is dangerous due to the nature of it's detection and removal methods.

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
CHR - default_search_provider: Ixquick HTTPS (Enabled)
CHR - default_search_provider: search_url = https://ixquick.com/do/search?query={searchTerms}&cat=web&pl=chrome&language=spanish

Then click Run Fix. A new log will be created automatically, post the content in the next reply.

---

Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
  • Scan unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
• Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
• The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt