wanguy2k

After reboot, still getting pop-ups. Machine still slow. Frustrating.

Ooops. You asked for the mbar system log. It's attached. system-log.txt

OK. I think the user accounts are valid. I know he uses logmein to remote into the PC, and I thing the other SrvAcct.SERVER account is used for a database program. I ran FRST Fix. Log is attached. Ran updated antimalware, nothing detected. (see below) Ran mbar, nothing detected. Log is attached. Two things: After the FRST fix, windows update started working and the security updates for IE8 from April were due to be installed. I didn't install them. Also, when the malicious web site warnings are popping up I ran task manager and there were 8 explorer.exe processes running. When I started up the machine I was getting to pop-ups constantly. Now they stopped, even though no malware was found. I'm going to reboot and see what happens. Below is the antimalwarebytes log. Malwarebytes Anti-Malwarewww.malwarebytes.org Scan Date: 10/10/2014Scan Time: 5:49:53 PMLogfile: Administrator: Yes Version: 2.00.2.1012Malware Database: v2014.10.10.10Rootkit Database: v2014.10.08.01License: TrialMalware Protection: EnabledMalicious Website Protection: EnabledSelf-protection: Disabled OS: Windows XP Service Pack 3CPU: x86File System: NTFSUser: user Scan Type: Threat ScanResult: CompletedObjects Scanned: 447493Time Elapsed: 36 min, 29 sec Memory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: Enabled Processes: 0(No malicious items detected) Modules: 0(No malicious items detected) Registry Keys: 0(No malicious items detected) Registry Values: 0(No malicious items detected) Registry Data: 0(No malicious items detected) Folders: 0(No malicious items detected) Files: 0(No malicious items detected) Physical Sectors: 0(No malicious items detected) (end) Fixlog.txt mbar-log-2014-10-10 (20-52-04).txt

Here they are. Thanks for your help. RogueKiller V10.0.1.0 [Oct 10 2014] by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : user [Administrator] Mode : Scan -- Date : 10/10/2014 15:50:15 ¤¤¤ Processes : 0 ¤¤¤ ¤¤¤ Registry : 15 ¤¤¤ [suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\DOCUME~1\user\LOCALS~1\Temp\catchme.sys) -> Found [suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme (\??\C:\DOCUME~1\user\LOCALS~1\Temp\catchme.sys) -> Found [suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\catchme (\??\C:\DOCUME~1\user\LOCALS~1\Temp\catchme.sys) -> Found [PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found [PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> Found [PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found [PUM.SearchPage] HKEY_USERS\S-1-5-21-1060284298-573735546-682003330-1003\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found [PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found [PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 167.206.13.180 167.206.13.181 192.168.1.1 -> Found [PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F01455DF-5072-4865-BB40-16ACF4D04A60} | NameServer : 208.69.150.250,208.69.150.252 -> Found [PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F01455DF-5072-4865-BB40-16ACF4D04A60} | NameServer : 208.69.150.250,208.69.150.252 -> Found [PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F01455DF-5072-4865-BB40-16ACF4D04A60} | DhcpNameServer : 167.206.13.180 167.206.13.181 192.168.1.1 -> Found [PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{F01455DF-5072-4865-BB40-16ACF4D04A60} | NameServer : 208.69.150.250,208.69.150.252 -> Found [PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{F01455DF-5072-4865-BB40-16ACF4D04A60} | NameServer : 208.69.150.250,208.69.150.252 -> Found [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ Hosts File : 1 ¤¤¤ [C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1 localhost ¤¤¤ Antirootkit : 1 (Driver: Loaded) ¤¤¤ [Filter()] \Driver\atapi @ \Device\CdRom0 : \Driver\redbook @ Unknown (\SystemRoot\system32\DRIVERS\redbook.sys) ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: SAMSUNG HD642JJ +++++ --- User --- [MBR] 28dc343cb884e1d0d8f76517948fd370 [bSP] d70be290b98a79d156a2df3543938e3d : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 610469 MB User = LL1 ... OK User = LL2 ... OK ============================================ RKreport_SCN_10102014_125838.log Addition.txt FRST.txt

I'm working on a friend's computer, it's running very slow and AnyMalwareBytes is popping up the malicious website blocked every few seconds. I did a scan and it came up clean. The IP address being blocked is somewhere in Russia, so something bad is running. Can I post a HiJack report (or something) so someone can take a look?