View Full Version : Fake security 2011/2012 etc
suesloan
2011-06-25, 15:40
After running Spybot and thinking this "thing" was handled, I rebooted and after Spybot did another scan on startup, I ran StopZilla and it found about 30 viruses and trojans and lots of adware cookies.
I had previously run MalWareBytes and thought the machine was clean but not so.
I have Avast running and it has been stopping access to various sites, but one problem remains. When I click on a link in a google search result, I usually end up on the wrong target site. Like this one: http://r.looksmart.com/.... or this one: http://c3055882.r82.cf0.rackcdn.com/...
I read your FAQ and downloaded ERANT and DDS. One of the links downloaded DDS.scr and the other DDS.com. I ran DDS.com and did not get any reports. StopZilla poped up with two "infections":
Gen Malware Detection.OO
Cognac
How can I run DDS and which one do I run? What can I do to stop this redirecting? Note this is happening in IE and Firefox browsers.
Sue
Satchfan
2011-06-26, 12:30
Hello suesloan and welcome to the Safer Networking.
My name is Satchfan and I would be glad to help you with your computer problem.
Please read the following guidelines which will help to make cleaning your machine easier:
• Please follow all instructions in the order posted
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• If you don't understand something, please don't hesitate to ask for clarification before proceeding
• The fixes are specific to your problem and should only be used for this issue on this machine.
• Please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed! IMPORTANT:
Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested
===================================================
Run DDS
You can run whichever of these that you can download – they are all the same, just have different names
Please download DDS by sUBs from one of the following links and save it to your desktop.
DDS.scr (http://download.bleepingcomputer.com/sUBs/dds.scr)
DDS.pif (http://www.forospyware.com/sUBs/dds)
disable any script blocking protection (How to Disable your Security Programs (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html))
double click DDS icon to run the tool (may take up to 3 minutes to run)
when done, DDS.txt will open.
after a few moments, attach.txt will open in a second window.
save both reports to your desktop.
Post the contents of the DDS.txt and Attach.txt reports in your next reply
==================================================
Run aswMBR
download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop
double click the aswMBR.exe to run it
click the "Scan" button to start the scan
On completion of the scan click save log, save it to your desktop and post in your next reply
Logs to include with next post:
DDS.txt
Attach.txt
aswMBR log
Thanks
Satchfan
suesloan
2011-06-26, 15:52
I downloaded dds.pif from your link. I then disabled Avast, Stopzilla and Spybot. Ran the dds.pif and it seemed to get a lot of errors like "SWREG.DAT not recognized" No output was created.:sick:
Ran aswMBR and here is its result:
aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-26 08:47:17
-----------------------------
08:47:17.921 OS Version: Windows 5.1.2600 Service Pack 3
08:47:17.921 Number of processors: 2 586 0x403
08:47:17.921 ComputerName: FLORIDA-IBM UserName: Sue
08:47:19.296 Initialize success
08:48:06.890 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
08:48:06.890 Disk 0 Vendor: WDC_WD800JD-08LSA0 09.01D09 Size: 76324MB BusType: 3
08:48:06.890 Device \Driver\atapi -> DriverStartIo 86d0b31b
08:48:08.890 Disk 0 MBR read successfully
08:48:08.890 Disk 0 MBR scan
08:48:08.890 Disk 0 TDL4@MBR code has been found
08:48:08.890 Disk 0 Windows XP default MBR code found via API
08:48:08.890 Disk 0 MBR hidden
08:48:08.890 Disk 0 MBR [TDL4] **ROOTKIT**
08:48:08.890 Disk 0 trace - called modules:
08:48:08.890 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86d0b4d0]<<
08:48:08.890 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d51ab8]
08:48:08.890 3 CLASSPNP.SYS[f7557fd7] -> nt!IofCallDriver -> \Device\00000065[0x86d53480]
08:48:08.890 5 ACPI.sys[f73be620] -> nt!IofCallDriver -> [0x86da3030]
08:48:08.890 \Driver\atapi[0x86dc52e0] -> IRP_MJ_CREATE -> 0x86d0b4d0
08:48:08.906 Scan finished successfully
08:48:46.968 Disk 0 MBR has been saved successfully to "C:\Tools\Registry Backup\MBR.dat"
08:48:46.968 The log file has been saved successfully to "C:\Tools\Registry Backup\aswMBR.txt"
I am now going to reenable the antivirus tools I stopped.:D:
Sue
suesloan
2011-06-27, 19:42
In further reading I found that Teatimer should be stopped too. So I did, rebooted, same problem with DDS -- no output.
Sue
Satchfan
2011-06-29, 10:39
Hello again suesloan
My apologies for not replying sooner but I received no notification of your reply. I was just about to send a message and saw it.
===================================================
re-Run aswMBR
click Scan
on completion of the scan click the Fix button
http://i944.photobucket.com/albums/ad283/Ninamf/Fix-TDL4.jpg
Save the log as before and post in your next reply
===================================================
Run RogueKiller
Note: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run roguekiller again
Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe) to your desktop.
close all running programs
for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
when prompted, type 1 and press Enter
the RKreport.txt will be generated next to the executable, (on the desktop).
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.
Remember: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run roguekiller again
===================================================
Try running DDS again
Thanks
Satchfan
suesloan
2011-06-30, 20:45
I ran aswMBR and when I clicked the Fix button it said it was verifying the fix but instead it hung the computer such that I had to unplug it to reboot. I did not then try the other program you suggested.
I did not stop my other antivirus programs this time -- could that be the problem?
Sue
suesloan
2011-06-30, 21:15
I stopped the antivirus programs and ran both programs you suggested.
aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-30 14:08:43
-----------------------------
14:08:43.531 OS Version: Windows 5.1.2600 Service Pack 3
14:08:43.531 Number of processors: 2 586 0x403
14:08:43.531 ComputerName: FLORIDA-IBM UserName: Sue
14:08:45.843 Initialize success
14:09:24.984 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
14:09:24.984 Disk 0 Vendor: WDC_WD800JD-08LSA0 09.01D09 Size: 76324MB BusType: 3
14:09:27.015 Disk 0 MBR read successfully
14:09:27.015 Disk 0 MBR scan
14:09:27.015 Disk 0 Windows XP default MBR code
14:09:29.015 Disk 0 scanning sectors +156312450
14:09:29.046 Disk 0 scanning C:\WINDOWS\system32\drivers
14:09:33.500 Service scanning
14:09:34.437 Disk 0 trace - called modules:
14:09:34.453 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
14:09:34.453 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86dc9030]
14:09:34.453 3 CLASSPNP.SYS[f7557fd7] -> nt!IofCallDriver -> \Device\00000066[0x86da0650]
14:09:34.453 5 ACPI.sys[f73be620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86d4b998]
14:09:34.453 Scan finished successfully
14:10:35.593 Disk 0 MBR has been saved successfully to "C:\Tools\Registry Backup\MBR.dat"
14:10:35.593 The log file has been saved successfully to "C:\Tools\Registry Backup\aswMBR.txt"
============
I did not run the FixMBR since it did not note a problem with it in the above log. I then ran just the scan for RogueKiller.
===================
RogueKiller V5.2.7 [06/30/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Sue [Admin rights]
Mode: Scan -- Date : 06/30/2011 14:11:26
Bad processes: 0
Registry Entries: 1
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
HOSTS File:
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]
Finished : << RKreport[1].txt >>
RKreport[1].txt
Hope this is helpful. Sue:red:
Satchfan
2011-07-01, 00:11
Hi Sue
Download and run ComboFix
Download ComboFix from the following location:
Link (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
Note: Do not mouse-click combofix's window while it is running. That may cause it to stall.
When finished, it will produce a log. Please include the ComboFix.txt in your next reply. It can be found at C:\ComboFix.txt
Satchfan
suesloan
2011-07-02, 15:10
I deleted the registry entry your RogueKiller found and now there are no more weird web sites popping up. So I think I will skip running ComboFix at this point unless it comes back.
I do appreciate all your help!
Sue
Satchfan
2011-07-02, 17:26
Thanks for letting me know but if you don't want to run ComboFix, you could run DDS and let me take a look at the log to be sure that there are no more issues.
If there are no problems, DDS should run OK now.
I'd be grateful if you would let me know what you decide but if I hear nothing within 48 hours I will close this thread as you ask
Regards
Satchfan
suesloan
2011-07-02, 18:05
Tried it again, still get the same error messages as before.
Sue:sick:
Satchfan
2011-07-02, 18:24
That's not a good sign.
Try running it again in Safe Mode:
To Enter Safemode
go to Start> Shut off your Computer> Restart
as the computer starts to boot-up, Tap the F8 KEY - this will bring up a menu.
use the Up and Down Arrow Keys to scroll up to Safemode
then press Enter on your keyboard