Google being redirected to Windowstopcontent site

Viruses and worms
1

Hi all,

when I do a search using google, results come up like normal. But when I click on any of the links, the tab says “Jumping” and gets redirected to some site like “windowstopcontent”. Browsing the web I found that this may be related to something called “freddy46.exe” which is a trojan. This file also exists in my C:\WINDOWS directory but I am not sure if I should delete it.

Urgent help would be really appreciated. Thanks.

2

Download Malwarebytes’ Anti-Malware (MBAM) then install it and update it with its built in update function then run a Quick scan then let it remove what it finds and you may have to reboot to have it remove locked files:
http://www.malwarebytes.org/mbam.php

Post a MBAM log here.

3

Thanks YoKenny,

I’ve downloaded and installed it. Running a scan now

4

I ran the Quick Scan and here is what it showed up. What would be the best step to take now?

Malwarebytes’ Anti-Malware 1.38
Database version: 2304
Windows 5.1.2600 Service Pack 2

18/06/2009 14:33:56
mbam-log-2009-06-18 (14-33-52).txt

Scan type: Quick Scan
Objects scanned: 107841
Time elapsed: 5 minute(s), 53 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
c:\WINDOWS\freddy46.exe (Worm.KoobFace) → No action taken.

Memory Modules Infected:
c:\program files\driver\driver.dll (Trojan.Agent) → No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\driver (Trojan.Agent) → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\driver (Trojan.Agent) → No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\driverdrv (Trojan.Downloader) → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\driverdrv (Trojan.Downloader) → No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysfbtray (Worm.KoobFace) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) → No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\8085:tcp (Malware.Trace) → No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\driver\driver.dll (Trojan.Agent) → No action taken.
c:\WINDOWS\system32\drivers\3b93531.sys (Rootkit.Agent) → No action taken.
c:\documents and settings\bas\local settings\Temp~TM1B.tmp (Trojan.Downloader) → No action taken.
c:\documents and settings\bas\start menu\Programs\Startup\rncsys32.exe (Trojan.Downloader) → No action taken.
c:\WINDOWS\freddy46.exe (Worm.KoobFace) → No action taken.
c:\WINDOWS\Temp\wpv451243627542.exe (Trojan.Agent) → No action taken.
c:\documents and settings\bas\Application Data\wiaserva.log (Malware.Trace) → No action taken.
c:\WINDOWS\zaponce52597.dat (Worm.Koobface) → No action taken.
c:\WINDOWS\zaponce52689.dat (Worm.Koobface) → No action taken.
C:\WINDOWS\bf23567.dat (Worm.KoobFace) → No action taken.
C:\Program Files\driver\driver.sys (Trojan.Downloader) → No action taken.

5

Allow MBAM to remove the items found.

6

Thanks FWF. It says it couldn’t delete some of them but will do them on reboot. I’m going to click OK now and come back later (hopefully) to report what happened.

7

the reboot was not successful the first time because the computer froze for ages. I manually then rebooted it and it has now started up fine and the problem seems to have gone away. Thanks for the help guys.

8

Windows Service Pack 3 has been available for a year and contains several Critical Security updates plus performance improvements you need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Also you should enable Automatic Updates or at least be notified that Updates are available.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don’t automatically download or install them.

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

Download HijackThis 2.0.2 then install it then run it and post the log:
http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html