BleepingComputer.com: Exploit Rogue Scanner Type 1007

While doing some research via Google yesterday, a redirect to an infected site was attempted twice. When I noted the odd name of the site coming up in the URL (and when the page had barely begun to load), I clicked back to Google. Meantime, on the way to the redirected site, AVG had popped up with a virus alert of Exploit Rogue Scanner Type 1007, listed twice. The site name was also identified.

I ran the ATF cleaner, then a full AVG scan which found no problems, and followed up with an MBAM scan which also found no problems.

Can I rely on these two results without running any other diagnostics?

Thanks, folks.

Me too. For the past 6 days the browser has been hijacked. Sometimes I get transferred as soon as I click on a Google link, sometimes the transfer appears to occur later, after already visiting the correct site. AVG Safe Search add-on in Mozilla does not complain about the link. AVG only very occasionally throws up a warning (Explot Rogue Scanner Type 1007) after the hijack. PC Tools Spyware Doctor (free version) and AVG 9.0.733 find nothing on complete scans (files, registry, etc ...).

I thought it might be worth updating what happened on my machine. As I mentioned in my previous reply, I had an Exploit 1007 message. Then AVG would report Vundo.KA trojan having infected three processes but could not identify an infected file. SpyWare doctor also could not find anything.

Because I have a dual boot system, I copied my entire Windows partition onto a portable drive from Linux side, and then scanned the portable drive with another, uninfected Windows machine. The culprit turns out to have been an infected \Windows\System32\drivers\atapi.sys file. To support that notion I have this evidence ... First, when I check the \Windows\system32\drivers\atapi.sys file from within the infected system, neither SpywareDoctor nor AVG report anything wrong. But if I check the copy of the same file on my portable drive (even from within the infected system) Spyware doctor reports that the file is infected. Replacing the infected atapi.sys file with a clean copy seemed to cure the problem. (I was unable to boot in Safe Mode, but I think it should be possible to do what I did with Linux from within Safe Mode.)

Sarusoga, thanks for posting your "self-fix". I am not expert enough to be able to mimic your actions so it looks like I must forge ahead to the best of my own abilities....run another MBAM and AVG scan, change passwords and hope for the best.

Looks like the good folks at Bleeping are overwhelmed with requests for help, since no response from them here.

Hello,Kat. Did you update the MBAm before the scan and run it in Normal mode..

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.

Hi there, Boopme,

Yes, I did run an updated MBAM scan and in normal mode.

Below are the squeaky clean SUPER scan results:

UPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/09/2010 at 02:02 PM

Application Version : 4.33.1000

Core Rules Database Version : 4446
Trace Rules Database Version: 1978

Scan type : Complete Scan
Total Scan Time : 02:22:13

Memory items scanned : 230
Memory threats detected : 0
Registry items scanned : 4951
Registry threats detected : 0
File items scanned : 60262
File threats detected : 0

Does it look like I'm now good to go, once I do the "Create a New Restore Point" thing you directed me to do the last time I got in trouble? (Jan 6 '10 post) I was almost hoping you'd not be the one to help, since I feel guilty, having experienced two similar virus threats so closely spaced! I am soooo careful where I go on the internet, so this embarrasses me!

Thank you!

Hi Kat, sorry this blizzard that went thru here made internet time almost nil..
Let's do an online scan first. If that is clear then set the new point.

I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
  
• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
    
  • Double click on the icon on your desktop.
  
  
• Check
  
• Click the button.
  
• Accept any security warnings from your browser.
  
• Check
  
• Push the Start button.
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  
• When the scan completes, push
  
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  
• Push the button.
  
• Push

Hey, Boop, the results of the ESET scan are O infected.

I'll now head over and "Create a New Restore Point".

With grateful thanks from soggy Western Oregon to your super-snowy part of the country,
~Kat

This post has been edited by Kat: 11 February 2010 - 05:02 PM

You're welcome and thanks for dropping by.