mydomainadvisor and 404 nginx redirects

[jabberwockdb]

Hi

I think I am infected with malware which sometimes redirects my browser to mydomainadvisor or to a 404 page with nginx.

Here are the two files generated with dds.

Thanks for your help!

Attach.txt

DDS.txt

[MrCharlie]

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options, they're not all bad!)

Post back the report.

MrC

[jabberwockdb]

Hi MrCharlie:

Here is the report:

RogueKiller V7.4.4 [05/08/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User: admin [Admin rights]

Mode: Scan -- Date: 05/11/2012 10:48:12

¤¤¤ Bad processes: 1 ¤¤¤

[sUSP PATH] visicom_antiphishing.exe -- C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 3 ¤¤¤

[sUSP PATH] HKLM\[...]\Wow6432Node\Run : Anti-phishing Domain Advisor ("C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe") -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK2552GSX ATA Device +++++

--- User ---

[MBR] 551004de8a36225bd2117f3b1c7679bc

[bSP] 5fdf007a7b891da1ca01d5fb4600053a : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 238473 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: ST95005620AS ATA Device +++++

--- User ---

[MBR] a4dd951913109349b3853eb49f2adfe0

[bSP] 8c93a053b28efc2e467209197d878d63 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 400 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 821248 | Size: 64000 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 131893248 | Size: 128000 Mo

3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 394037248 | Size: 284538 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Thanks

[jabberwockdb]

MrCharlie:

After seeing that Anti-phishing.exe may be the culprit, I checked my control panel. I noticed that it was most likely installed when I downloaded "pdf creator". There were some other programs which were installed on that day as well. When you give me your recommendations, please let me know if these programs should be removed as well.

Bekko Search Bar 1.0

Search.com Bar

Adobe AIR

Adobe Download Assistant

PDF Creator

Thanks again

[MrCharlie]

Yes, uninstall them to be safe, MrC

[jabberwockdb]

Thanks MrC:

I uninstalled those programs .

Here is the updated Rogue Killer report. I have the MVPS Hosts file on my computer now.

RogueKiller V7.4.4 [05/08/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User: admin [Admin rights]

Mode: Scan -- Date: 05/12/2012 07:33:30

¤¤¤ Bad processes: 1 ¤¤¤

[sUSP PATH] visicom_antiphishing.exe -- C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 2 ¤¤¤

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

::1 localhost #[iPv6]

127.0.0.1 fr.a2dfp.net

127.0.0.1 m.fr.a2dfp.net

127.0.0.1 ad.a8.net

127.0.0.1 asy.a8ww.net

127.0.0.1 abcstats.com

127.0.0.1 a.abv.bg

127.0.0.1 adserver.abv.bg

127.0.0.1 adv.abv.bg

127.0.0.1 bimg.abv.bg

127.0.0.1 ca.abv.bg

127.0.0.1 www2.a-counter.kiev.ua

127.0.0.1 track.acclaimnetwork.com

127.0.0.1 accuserveadsystem.com

127.0.0.1 www.accuserveadsystem.com

127.0.0.1 achmedia.com

127.0.0.1 aconti.net

127.0.0.1 secure.aconti.net

127.0.0.1 www.aconti.net #[Dialer.Aconti]

[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK2552GSX ATA Device +++++

--- User ---

[MBR] 551004de8a36225bd2117f3b1c7679bc

[bSP] 5fdf007a7b891da1ca01d5fb4600053a : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 238473 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: ST95005620AS ATA Device +++++

--- User ---

[MBR] a4dd951913109349b3853eb49f2adfe0

[bSP] 8c93a053b28efc2e467209197d878d63 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 400 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 821248 | Size: 64000 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 131893248 | Size: 128000 Mo

3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 394037248 | Size: 284538 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2].txt >>

RKreport[1].txt ; RKreport[2].txt

[MrCharlie]

Please make sure system restore is running and create a new restore point before continuing.

XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

[jabberwockdb]

Hi MrC

I ran TDSSKiller and got "No Threats found".

[MrCharlie]

OK....please do this:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:

If you get the message Illegal operation attempted on registry key that has been marked for deletion. after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[jabberwockdb]

Hi MrC

I attached the log from ComboFix.

Thanks

ComboFix.txt

[MrCharlie]

Please delete this folder:

c:\programdata\blekko toolbars

There's info on resetting your homepage and default search engine here:

http://help.blekko.com/index.php/how-do-i-uninstall-search-bar/

Let me know, MrC

[jabberwockdb]

MrC

I deleted the folder; it was empty since I was able to uninstall it via the Control Panel. When using RogueKiller, am I supposed to do anything with the items it detected? I only sent the report but did not delete anything. When I try to run it now, it keeps crashing after I click "Scan", but I can see it is still detecting two HJ registry items.

Thanks for all your help!

[jabberwockdb]

MrC

I deleted the folder; it was empty since I was able to uninstall it via the Control Panel. When using RogueKiller, am I supposed to do anything with the items it detected? I only sent the report but did not delete anything. When I try to run it now, it keeps crashing after I click "Scan", but I can see it is still detecting two HJ registry items.

Thanks for all your help!

I forgot to mention, although I tried to uninstall "Anti-phishing Domain Advisor", the "C:\ProgramData\Anti-phishing Domain Advisor" folder still exists and has executable files in it. I don't know if the uninstall worked.

[MrCharlie]

Uncheck the three boxes on the right before you run it.

run RogueKiller again and click Scan

When the scan completes > click on the Bad processes tab

Put a check next to all of these and uncheck the rest:

¤¤¤ Bad processes: 1 ¤¤¤

[sUSP PATH] visicom_antiphishing.exe -- C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe -> KILLED [TermProc]

Now click Delete on the right hand column.

Repeat the process for these

Click on the Registry Entries > put a check next to these and uncheck the rest

Click on Delete

¤¤¤ Registry Entries: 2 ¤¤¤

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

MrC

[jabberwockdb]

Thanks so much for helping me out on the weekend, MrC!

OK The process didn't exist anymore since it was uninstalled. I was, however, able to delete the two registry items. After deletion, the status said REPLACED(0). Here is the log:

RogueKiller V7.4.4 [05/08/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback:

http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog:

http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User: admin [Admin rights]

Mode: Remove -- Date: 05/12/2012 15:36:00

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

Finished : << RKreport[4].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt

When the ComboFix ran, what viruses, if any, did it clean up?

Thanks again!

[MrCharlie]

None were listed but it most likely took care of somethings.

RogueKiller took care of some things and you uninstalled a lot of programs.

How is it now?? MrC

[jabberwockdb]

Everything seems to be okay. The original problem was intermittent, but I feel confident that uninstalling those trojans and using roguekiller cleaned everything up. If the problem rears its head again, I'll let you know.

With these specific trojans and viruses, what threats did they pose in regards to data?

Thanks again for all your help!!!

[MrCharlie]

OK, a little clean up to do.....

Please Uninstall ComboFix:

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

---------------------------------

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

-------------------------------

You have out date Java on the system, older versions are vulnerable to malware.

Please go to your control panels add/remove programs and uninstall these:

Java Auto Updater

Java™ 7 Update 4

Then download and install the latest version Java™ 6 Update 32.

http://www.java.com/...load/manual.jsp <---latest version

http://www.java.com/...d/installed.jsp <---verify your Java

-----------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[jabberwockdb]

Hi MrC

Just a quick question on the uninstall of ComboFix. McAfee was running as I was uninstalling ComboFix and it detected a couple of files that I a believe were used by combofix. Although Mcafee deleted those files during the uninstall, is it correct to assume McAfee didn't prevent Combofix from uninstalling properly?

-------------------------------

You have out date Java on the system, older versions are vulnerable to malware.

Please go to your control panels add/remove programs and uninstall these:

Java Auto Updater

Java™ 7 Update 4

Then download and install the latest version Java™ 6 Update 32.

http://www.java.com/...load/manual.jsp <---latest version

http://www.java.com/...d/installed.jsp <---verify your Java

I believe I have a later version of Java than version 6. I also clicked on the java link and it confirmed V7 update 4 is the latest available.

Thanks again for all your help. Will post positive feedback!

[MrCharlie]

is it correct to assume McAfee didn't prevent Combofix from uninstalling properly?

No, you had it disabled during the scan.

AV: McAfee® Security-as-a-Service *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

SP: McAfee® Security-as-a-Service *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

-------------------------------

I'm sorry you do have the latest version of Java installed....my mistake....so you're OK.

MrC

[jabberwockdb]

Hi MrC

Sorry for the confusion...

Yes, McAfee was disabled during the scan, but when I performed the uninstall of Combofix, McAfee was enabled again. As the uninstall was proceeding, McAfee detected 3 Tool-Nircmd threats: firefox.exe, iexplore.exe, and n.pif. It quarantined these files. I was assuming these files were from Combofix and hoping that this action didn't affect the uninstall.

Other than that, I think I completed all of the clean up tasks without any issues. I will probably be posting a new topic soon to help my mother-in-law with her computer.

Thanks again for all your help!!!

[MrCharlie]

That's not unusual, some of the files used by ComboFix are often detected by your anti-virus as malware.

You're OK! MrC

[jabberwockdb]

Thanks!

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!