Jump to content

Interval hehehe Issues!


Recommended Posts

Hi Guys

I did add a topic reference thgis interval hehehehe issue, but I need to ask for help again.

I downloaded the infected WinRar software and when I ran Spybot it stopped the pop up, but now everytime I open IE7 or Google Chrome I get the page that says I have been attacked and need to buy anti spy virus software. If I search the internet using Google I get the pages in Chinese!

How do I stop this from happening?

I am running Malware now and I will follow the instructions again for the logs and post them here.

Any help in the emantime would be greatly received.

Cheers

Ricardo

Link to post
Share on other sites

Here is teh malware log:

Malwarebytes' Anti-Malware 1.31

Database version: 1511

Windows 6.0.6001 Service Pack 1

22/12/2008 12:46:59

mbam-log-2008-12-22 (12-46-59).txt

Scan type: Quick Scan

Objects scanned: 57310

Time elapsed: 6 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Here is my Panda Active Scan:

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-12-22 13:18:43

PROTECTIONS: 1

MALWARE: 1

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Windows Defender 1.1.4205.0 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Users\Richard\AppData\Roaming\Microsoft\Windows\Cookies\richard@ads.pointroll[2].txt

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location k

C5

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description k

C5

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Link to post
Share on other sites

Here is the Hijack This Results:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:21:46, on 22/12/2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\mobsync.exe

C:\Program Files\Apoint\Apoint.exe

C:\Windows\vVX3000.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\T-Mobile\web'n'walk USB manager\web'n'walk USB manager.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\WebEx\Productivity Tools\PTIM.exe

C:\Program Files\WebEx\Productivity Tools\ptmsgfrm.exe

C:\ProgramData\Autobahn\autobahn.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Wallpapers from MSN\Wallpaper_tray.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\WebEx\Productivity Tools\ptSrv.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Opera\opera.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\IEPro\MiniDM.exe

C:\Program Files\Internet Explorer\ieuser.exe

C:\PROGRA~1\AVG\AVG8\aAvgApi.exe

C:\Program Files\Windows Live\Toolbar\wltuser.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program Files\Windows Live\Mail\wlmail.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe

C:\Users\Richard\Desktop\HiJackThis.exe

O16 - DPF: AuthenticBrowserEdition - https://extranet.awdplc.com/news/cab/Authen...tionUnicode.cab

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Vegas%20Heist/Images/stg_drm.ocx

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://access.awdplc.com/CitrixSessionInit...AWEB/icaweb.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70} (VaxSIPUserAgentCAB Control) - http://www.mand8.com/assets/plugins/VaxSIPUserAgentCAB.cab

O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab

O16 - DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} (Net6Launcher Class) - https://access.awdplc.com/net6helper.cab

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://awdcdv.webex.com/client/T26L/webex/ieatgpc1.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E5FE3E17-AEBE-46C8-BAE1-FF8AF02A89DE}: NameServer = 149.254.201.126 149.254.192.126

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - AppInit_DLLs: avgrsstx.dll

O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll

O23 - Service: McAfee Application Installer Cleanup (0233161229948829) (0233161229948829mcinstcleanup) - McAfee, Inc. - C:\Users\Richard\AppData\Local\Temp\023316~1.EXE

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: WebEx Service Host for Support Center (atashost) - WebEx Communications, Inc. - C:\Windows\system32\atashost.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe

O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\Windows\system32\bmwebcfg.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe

O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AvLib\SsBeSvc.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AvLib\SSScsiSV.exe

O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe

O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe

O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe

O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe

O23 - Service: VAIO Media Content Collection (VAIOMediaPlatform-UCLS-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe

O23 - Service: VAIO Media Content Collection (HTTP) (VAIOMediaPlatform-UCLS-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe

O23 - Service: VAIO Media Content Collection (UPnP) (VAIOMediaPlatform-UCLS-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 8793 bytes

Link to post
Share on other sites

  • Root Admin

Hi Ricardo, sorry for the delay but it is Holiday Season and there is limited help right now.

Your MBAM version is way out of date.

Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Restart your computer and then run HJT scan and save log.

Post back the new MBAM and HJT logs

Link to post
Share on other sites

Thanks for the reply, however I found this advice on the following url:

http://www.answerbag.com/q_view/1115403

Once that was done, some smart cookie on the net suggested that if you are still getting Chinese Google/ fake Microsoft site syndrome then your hosts file has been tampered with. If your interested, (which you certainly don't have to be to solve this!) the host file tells your machine that certain requests for URLS by any your browsers should ignore the real site (to do with a service called DNS) and go to wherever the file tells it to - in this case, requests for google and a few other sites are being sent to a malware site or Chinese Google. For me, this was absolutely the case.

For those not familiar with this it is perfectly safe and easy to repair:

Go to C:/Windows/system32/drivers/et c/hosts

Open this in notepad (ignoring system messages telling you that you ought not to play with these files) and delete everything. Then to return to the windows original add this single line and then save:

127.0.0.1 localhost

If you don't trust my reply here check on the web for "windows host file" example and you should find that's OK!

If you see another version of this with lots of text in it don't worry that the descriptive text above the line above isn't there; windows will ignore that since it was for your benefit only. Or add it in, it really doesn't matter.

That has sorted out the issue, so many thnaks for your reply, but looks like I am now back to normal.

Regards

Richard

Link to post
Share on other sites

  • Root Admin

Yes I am very well aware of the hosts file and it may or may not be your complete solution.

It's up to you if you would like us to assist you and verify or not. Quite easy to update and do a few scans to verify.

How do you think your hosts file got modified in the first place without your approval? Typically resident Malware is the cause.

For you and others that are interested in more information on the Windows hosts file please take a look here

The hosts file is a computer file used to store information on where to find a node on a computer network. This file maps hostnames to IP addresses. The hosts file is used as a supplement to (or instead of) the domain name system on networks of varying sizes. Unlike DNS, the hosts file is under the control of the local computer's administrator.

If you would like to check and verify your system is clean please perform the following.

Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the restart run HJT scan and save log.

Post back fresh MBAM and HJT logs.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.