Jump to content

Google Redirect, My Secruity Shield, Malcious Websites, & DDS log


Recommended Posts

  • Replies 56
  • Created
  • Last Reply

Top Posters In This Topic

When I attempted to attach MBR.dat I got a standard forum error message saying:

MBR.dat

You aren't permitted to upload this kind of file.

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-07-20 18:30:51

-----------------------------

18:30:51.812 OS Version: Windows 5.1.2600 Service Pack 3

18:30:51.812 Number of processors: 1 586 0x1601

18:30:51.812 ComputerName: RMPCOMPUTER UserName: Nick

18:30:52.843 Initialize success

18:31:25.593 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0

18:31:25.593 Disk 0 Vendor: Hitachi_ BB2O Size: 114473MB BusType: 3

18:31:25.609 Disk 0 MBR read successfully

18:31:25.609 Disk 0 MBR scan

18:31:25.609 Disk 0 unknown MBR code

18:31:25.609 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63

18:31:25.625 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 108470 MB offset 128520

18:31:25.625 Disk 0 Partition - 00 0F Extended LBA 2557 MB offset 222275340

18:31:25.671 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 3380 MB offset 227512530

18:31:25.671 Disk 0 Partition 4 00 DD MSDOS5.0 2557 MB offset 222275403

18:31:25.687 Disk 0 scanning sectors +234436545

18:31:25.765 Disk 0 scanning C:\WINDOWS\system32\drivers

18:31:36.484 Service scanning

18:31:56.765 Modules scanning

18:32:04.718 Disk 0 trace - called modules:

18:32:04.781 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll

18:32:04.781 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a5d7ab8]

18:32:04.781 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a5f4030]

18:32:04.796 Scan finished successfully

18:33:19.703 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Nick\Desktop\MBR.dat"

18:33:19.750 The log file has been saved successfully to "C:\Documents and Settings\Nick\Desktop\aswMBR.txt"

Link to post
Share on other sites

  • Staff

Hi,

Looking good. :)

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

Link to post
Share on other sites

Here's the ESET Online Scanner log. It appears like it got rid of 10 instants of the HTML/Scr/Inject.B.Gen virus as well as some Trojans. I will now download Security Check as instructed. We're making progress. 1 virus at a time. :)

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=6e3b90d71ab0084e972b575a6f74385b

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2012-07-25 09:10:52

# local_time=2012-07-25 05:10:52 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777215 100 0 76150224 76150224 0 0

# compatibility_mode=5891 16776549 42 92 658087 10317741 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=254769

# found=26

# cleaned=26

# scan_time=7648

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\FB9GU0Z6\fpi[1].htm HTML/ScrInject.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\FB9GU0Z6\fpi[2].htm HTML/ScrInject.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\FB9GU0Z6\fpi[4].htm HTML/ScrInject.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\FB9GU0Z6\kitten-falling-asleep-standing-up[1].txt HTML/ScrInject.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\GFZQCXA7\fpi[2].htm HTML/ScrInject.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HYK8SR82\fpi[1].htm HTML/ScrInject.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HYK8SR82\hidden-kitten[1].txt HTML/ScrInject.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MSGMBS8Y\cute-sleepy-kittens-meowing[1].txt HTML/ScrInject.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MSGMBS8Y\cute-sleepy-kittens-meowing[2].txt HTML/ScrInject.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MSGMBS8Y\kittyflix_com[1].txt HTML/ScrInject.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Nick\Desktop\Installers\AutoRefresher.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Nick\Desktop\Installers\Retrogamer.exe Win32/AdInstaller application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Nick\Local Settings\Application Data\{baebeb56-d64c-3f43-ac11-15634174457b}\n Win32/Sirefef.EV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Nick\Local Settings\Application Data\{baebeb56-d64c-3f43-ac11-15634174457b}\U\80000000.@ a variant of Win32/Sirefef.FA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Nick\Local Settings\Application Data\{baebeb56-d64c-3f43-ac11-15634174457b}\U\80000032.@ a variant of Win32/Sirefef.FD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Program Files\Free Download Manager\Extras\setup.exe Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\Installer\{baebeb56-d64c-3f43-ac11-15634174457b}\n.vir Win32/Sirefef.EV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\Installer\{baebeb56-d64c-3f43-ac11-15634174457b}\U\80000032.@.vir a variant of Win32/Sirefef.FD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\SEGA\SRALLY\OBJECT2P.TEX probably a variant of Win32/Agent.HSLEEMG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\TDSSKiller_Quarantine\19.07.2012_18.03.51\mbr0000\tdlfs0000\tsk0001.dta Win32/Olmarik.AYI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\TDSSKiller_Quarantine\19.07.2012_18.03.51\mbr0000\tdlfs0000\tsk0003.dta Win64/Olmarik.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\TDSSKiller_Quarantine\19.07.2012_18.03.51\mbr0000\tdlfs0000\tsk0004.dta a variant of Win32/Rootkit.Kryptik.KS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\TDSSKiller_Quarantine\19.07.2012_18.03.51\mbr0000\tdlfs0000\tsk0005.dta Win64/Olmarik.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\TDSSKiller_Quarantine\19.07.2012_18.03.51\mbr0000\tdlfs0000\tsk0008.dta Win32/Olmarik.AFK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\TDSSKiller_Quarantine\19.07.2012_18.03.51\mbr0000\tdlfs0000\tsk0009.dta Win64/Olmarik.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\TDSSKiller_Quarantine\19.07.2012_18.03.51\mbr0000\tdlfs0000\tsk0012.dta Win32/Olmarik.AYI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

Issues that remain:

1. Windows Security Essentials still displays error code: 0x80070424 whenever I try to turn it back on. I'm thinking about uninstalling it and getting the free version of AVG.

2. Windows Firewall is off whenever I turn on the infected computer. Can I turn Windows Firewall back on now, or do we still have to run programs that it would interfere with?

3. I have a Java update to do as well as some Windows updates that appear on occation upon startup which I've been holding off on for the duration of the cleaning process.

4. Are there any other measures that we need to take for the HTML/ScrInject.B.Gen virus or any of those trojan's?

The following is checkup.txt.

Results of screen317's Security Check version 0.99.43

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````Antivirus/Firewall Check:``````````````

ESET Online Scanner v3

Microsoft Security Essentials

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.61.0.1400

Java 6 Update 32

Java version out of Date!

Adobe Reader 9 Adobe Reader out of Date!

````````Process Check: objlist.exe by Laurent````````

Microsoft Security Essentials msseces.exe

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:: 5%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

  • Staff

Hi,

Thanks for the update.

1. Windows Security Essentials still displays error code: 0x80070424 whenever I try to turn it back on. I'm thinking about uninstalling it and getting the free version of AVG.

Have you tried uninstalling and reinstalling Microsoft Security Essentials? DId you mean Microsoft Security Essentials instead of Windows Security Essentials?
2. Windows Firewall is off whenever I turn on the infected computer. Can I turn Windows Firewall back on now, or do we still have to run programs that it would interfere with?
Yes feel free to turn it on.
3. I have a Java update to do as well as some Windows updates that appear on occation upon startup which I've been holding off on for the duration of the cleaning process.
We'll take care of that (see below).
4. Are there any other measures that we need to take for the HTML/ScrInject.B.Gen virus or any of those trojan's?
Most of them were in quarantine, but yes (see below).

Run TFC by OldTimer to clear temporary files:

  • Please download TFC from here and save it to your desktop.
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Adobe Reader 9

Java™ 6 Update 32

Restart your computer.

Get the latest version of Java and Adobe Reader. Also install the latent Windows Updates.

Reboot.

Let me know what issues remain.

Link to post
Share on other sites

Have you tried uninstalling and reinstalling Microsoft Security Essentials? DId you mean Microsoft Security Essentials instead of Windows Security Essentials?

I have not tried uninstalling and reinstalling it yet because of the other processes we've been using. Yes, I did mean Microsoft Security Essentials. I was a pretty tired when I posted that.

Yes feel free to turn it on.

I am unable to. When I try using Security Center to turn it on it displays a message saying.

We're sorry. The Security Center could not turn on Windows

Firewall. To try turning on the firewall yourself, go to Windows

Firewall in Control Panel. In the Windows Fire dialog General tab,

select On (recommended), and then click OK.

The only button is Close.

When I try following the instructions given by Security Center I get a message from Windows Firewall saying

Due to an unidentified problem, Windows cannot display Windows Firewall settings.

The only button is OK.

Run TFC by OldTimer to clear temporary files:

When I launch TFC and click the Start button. It appears to begin it's process. However it only gets this far:

Getting user folders.

Stopping running processes.

I came back to it a few hours later and it was still there. After a few more trys, it keeps freezing there. It also freezes the computer where I can only move my mouse.

I have not attempted to uninstall ComboFix or install the Java and Windows updates yet.

Link to post
Share on other sites

ComboFix uninstalled successfully and I deleted SecurityCheck. I have still haven't done the Java update nor the Windows updates because of your phasing of "after that". Which I'm assuming is after TFC runs sucessfully, after the uninstallation of ComboFix and the deletion of SecurityCheck. Of which, only the latter two were done.

Link to post
Share on other sites

  • Staff

Hi,

Okay looks like there are a few non-malware related issues.

First, try this for the firewall (it's an auto-fix from Microsoft):

http://support.microsoft.com/kb/283673

After trying it, reboot.

Uninstall Microsoft Security Essentials. Grab a fresh installer from here:

http://windows.microsoft.com/en-US/windows/products/security-essentials

Install it and reboot.

Let me know if that helped at all.

Link to post
Share on other sites

The auto-fix ran but did not work. After the reboot I tried turning Windows Firewall back on with Secruity Center with no luck. I also tried turning it on manually. For both tries the same exact messages as before were displayed.

Microsoft Security Essentials uninstalled and then reinstalled properly. I ran a Quick Scan and no threats were detected. Microsoft Security Essentials seems to be functioning like it is supposed to. The installation wizard for it noticed that Windows Firewall was not on and attempted to turn it on. It was unable to due to an "unknown error".

Link to post
Share on other sites

Would uninstalling Service Pack 3 uninstall Service Pack 2 as well? I know that in order to install Service Pack 3 you need Service Pack 2 already installed. That's not a problem though, I still have my Service Pack 2 CD and I originally installed Service Pack 3 via Windows Update. (If I remember correctly.) However in this circumstance I would have to download Service Pack 3 from the Service Pack Center.

Link to post
Share on other sites

Where you would normally see the "Remove" button and sometimes also the "Change" button there are no buttons. There is only a link that says "Click here for support information." When I click that link I get a Support Info pop-up box. That says:

Windows XP Service Pack 3

Use the following information to get technical support for Windows XP Service Pack 3

Publisher: Microsoft Corporation

Version: 20080414.031525

Support Information: http://support.microsoft.com/?kbid=936929

The only button is "Close."

Link to post
Share on other sites

Method 2 worked for the uninstallation of Service Pack 3 (in a way.) When I tried the direct path to launch the spuninst.exe, it displayed an error message. However, when I removed the .exe from the Run command, I was able to open the folder containing the spuninst.exe and then was able to double click on it to run Service Pack 3's uninstallation wizard.

Upon reboot, Windows Update had 43 updates. (I regret that I didn't take a screenshot of all the updates so I can't tell you what updates were installed.) The majority of the updates were Windows XP Updates and Security Updates, one was an ActiveX update and I remember something along the lines of "killbit". Some updates could not be installed though. Also, I did not see Windows XP Service Pack 3 anywhere in those updates. The updates that could not be installed were:

Update for Windows XP (KB981793)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB981349)

I then rebooted again using the "Restart Now" button. Hopefully you can tell which updates from the group that installed with the information of the ones that didn't. If not, I'm really sorry I forgot to log that information.

I was able to get the Windows Firewall turned on via Windows Security Center, but now Windows Security Center has a status of "Off" for Virus Protection saying:

"Windows found multiple antivirus programs on this computer, but they all report that they might be out of date or are turned off. Click Recommendations for suggested actions you can take."

The recommendations were:

"Update one of your installed antivirus programs. Note: You'll need to make sure that you have a current subscription with you antivirus provider to do this.

or

Get another antivirus program."

However, Microsoft Security Essentials is fully updated and functional. (I even attempted to update it again just to make sure.)

Another issue that I am having that needs to be resolved ASAP is that whenever I am one any website for a moment I get the following message:

"Internet Explorer has encountered a problem and needs

to close. We are sorry for the inconvenience.

If you were in the middle of something, the information you were working on

might be lost.

Please tell Microsoft about this problem.

We have created an error report that you can send to help us improve

Internet Explorer. We will treat this report as confidential and anonymous.

To see what data this error report contains, click here."

The data is as follows:

AppName: iexplore.exe AppVer: 8.0.6001.18702 ModName: mshtml.dll

ModVer: 8.0.6001.19258 Offset: 00209f70

The following file will be included in the error report:

C:\DOCUME~1\Nick\LOCALS~1\Temp\2c32_appcompat.txt

If I could, I would copy/paste the full error report for you, but it's not able to be copied.

After the error displays Internet Explorer attempts to restore the webpage twice before giving a Website Restore Error. So far, this is happening with all websites. Google is almost instantly, for Bing I'm barely able to search and it happens on this forum in about a minute after I arrive on the webpage. (So I ended up having to type this up in notepad.) It also happens anytime I click on any of my favorites.

If you can give me a direct link to redownload and reinstall Service Pack 3, I would really appriciate it. Internet Explorer is also closing itself on Microsoft's website, so I can't get to it. I'm hoping that once Service Pack 3 is reinstalled then Internet Explorer won't be having this error anymore.

Link to post
Share on other sites

After those updates that I mentioned in my previous post installed the following updates attempted to install upon another rebooot.

February 2007 CardSpace Update for Windows XP (KB925720)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958470)

Security Update for Windows XP (KB973869)

Update for Windows XP (KB970430)

Update for Windows XP (KB971737)

Update for Windows XP (KB981793)

However some of those updates did not install sucessfully. (Some are ones from the last update attempt as well.)

UPDATES NOT INSTALLED

Security Update for Windows XP (KB958470)

Update for Windows XP (KB981793)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB956844)

I am still having that Internet Explorer error, however it's not displaying the error message anymore. It just keeps attempting to restore the webpage.

After my latest reboot, Windows Security Center recognizes Microsoft Security Essentials as "ON". :)

Link to post
Share on other sites

The message that I was referencing was the one saying "Internet Explorer has encountered a problem and needs to close." It would still close my window and attempt to recover the tab twice and then display the Website Restore Error page. A couple reboots later that message is appearing again. Internet Explorer is still not functioning, luckily I was able to click the download button for Firefox before the page closed out.

I downloaded Firefox and it is working properly. Service Pack 3 appears to have installed correctly.

Issues remaining:

I still have those 4 updates and the Java update to do. Not a big deal.

Service Pack 3 did not fix Internet Explorer. I'm going to attempt to reinstall it, as it is my prefered browser.

Upon startup I was getting a pop-up message from Windows Security Alert. The message said:

To help protect you computer, Windows Firewall has blocked some features of this program.

Do you want to keep blocking this program?

Name: Pando Media Booster

Publisher: Unknown

My options were Keep Blocking, Unblock, and Ask Me Later.

I chose Keep Blocking because I did some research that told me that it was a program that some video game companies install when you download their games and what it does is that it acts as a torrent seed that allows others to download the game from the companies website faster. However, in doing so it takes up a lot of bandwidth.

When I first installed Firefox it gave me a pop-up message with a header of "Add-ons may be causing problems". The pop-up message said:

"Firefox has determined that the following add-ons are known to cause stability or security problmes:

MetaStream 3 Plugin 3.2.2.26 Blocked

These add-ons have a high risk of causing stability or security problems and have been blocked, but a restart is required to disable them completely."

My options were "Restart Firefox" and Restart Later. I chose "Restart Later" and proceeded to install Service Pack 3 and then restarted my computer to finish Service Pack 3's installation. I have not received this message from Firefox again.

I will now attempt to install the 4 Windows Update that could not install previously, as well as that Java update.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.