Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirection Problem(find-thricecock) Sorry


  • Please log in to reply
12 replies to this topic

#1 jbhome

jbhome

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 25 March 2008 - 01:18 AM

My system started jumping to various sites, usually through find-thricecock.com.
I have tried Avast, and searched with google and dogplie, eventually finding reference to combofix.
I have run combofix and attached the log.
Thanks for the help.
Sincerely,
Jim Brooks

Sorry, it seems the directions to include a combofix log are wrong.
I'll leave it here for now. If someone has another recommendation, please let me know.

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:43 AM

Posted 25 March 2008 - 12:24 PM

Welcome to BC jbhome

You should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

What OS (Win 2K, XPsp1, XPsp2, Vista) are you using? Have you performed any anti-spyware scans? Have you tried doing your scans in "Safe Mode"? Are you doing scans while logged into the "Administrator Account" or an "account with administrator privileges"?

You need to start there first. If rescanning in Safe Mode does not help, then do this:

Perform an Online Virus Scan like BitDefender.
(These require Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component. If given the option, choose "Quarantine" instead of delete.)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 jbhome

jbhome
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 25 March 2008 - 12:40 PM

Thanks for the quick response.

I've been trying for several days to fix the problem.
My system is running XP Pro with Avast anti-virus and Spybot.
I am logged in with administrator rights
I have done scans with both (not in safe mode) and neither reports any problems.
I found a thread last night that said to use combofix. I understand this is a problem but damn there's a lot of reading to do.
The thread indicated I should post the output of combofix so the experts could review/advise my next steps.
I ran combofix with results as indicated by the previously attached dump.
The problem I have is either very small, or not yet recognized. I have found two other mentions of the same problem.. re-direction through find-thricecock.com but neither had a solutions.
OK no that we've cleared the smoke what would you recommend I do next.?

Thanks for your help and your patience.

Sincerely,
Jim

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:43 AM

Posted 25 March 2008 - 12:49 PM

There is a lot of misuse and misinformation about combofix on the net. The warnings we provide here at BC is for the protection of your system. That's why we ask that the tool not be run without proper supervision.

Redo your scans in safe mode, then perform the online scan. We will determine what further steps (if any) are needed after that.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 jbhome

jbhome
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 26 March 2008 - 08:09 PM

I have rescanned with Spybot and Avast from safe mode. Neither found anything.
I scanned with BitDefender Online and it found the following

C:\System Volume Information\_restore{24EE659D-989E-4230-A8A8-A6977DA05B33}\RP393\A0031623.dll
Infected with: Trojan.Dropper.Zirit.A

C:\WINDOWS\Installer\{26ca0efe-58de-403e-aa8d-e3e04e3fbf06}\zip.dll
Infected with: Trojan.Dropper.Zirit.A

C:\WINDOWS\Installer\{26ca0efe-58de-403e-aa8d-e3e04e3fbf06}\zip.dll
Delete failed

I tried to delete zip.dll but it is locked open
I was not able to enter the system volume information directory

What would you suggest next.

Thanks,
Jim

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:43 AM

Posted 26 March 2008 - 09:35 PM

Download FileASSASSIN.zip and save to your desktop (this tool is compatible with Win 2000/NT/XP/Vista only).
  • Create a new folder on your C:\ drive called FileASSASSIN and extract (unzip) the file to that folder. (Click here for information on how to do this if not sure. Win 9x/2000 users click here.)
  • Open the folder and double-click on FileASSASSIN.exe.
  • Select the zip.dll file to delete by dragging it onto the text area or select it using the (...) browse button.
  • Select a removal method. Start with the default "Attempt FileASSASSIN's method of file removal"
  • Click delete and the removal process will begin.
  • If that did not work, start the program again, select the file(s) the same way as before and this time check "Use delete on reboot function from windows."
Note: If you cannot find the file(s), you may have to Reconfigure Windows XP to show hidden files, folders.

The infected RP***\A00*****.exe file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. This is the feature that allows you to set points in time to roll back your computer to a clean working state. The SIV folder is protected by permissions that only allow the system to have access and is hidden by default unless you have reconfigured Windows to show it.

System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points as an A00***** file. When you scan your system with anti-virus or anti-malware tools, you may receive an alert or notification that a virus was found in the SVI folder (System Restore points) but the anti-virus software was unable to remove it. Since the System Volume Information folder is a protected directory, most scanning tools cannot access it to disinfect or delete these files. If not removed, they sometimes can reinfect your system if you accidentally use an old restore point.

To remove the file(s), the easiest thing to do is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 jbhome

jbhome
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 27 March 2008 - 12:01 AM

My system appears virus free.

Thanks for your help.
Sincerely,
Jim Brooks

#8 jbhome

jbhome
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 27 March 2008 - 12:49 AM

Sorry but I'm back.
Although Bitdefender reported no more viruses, I continue to get redirected via find-thricecock.com.
Any suggestions?

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:43 AM

Posted 27 March 2008 - 08:30 AM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 jbhome

jbhome
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 28 March 2008 - 10:35 PM

Well let's hopt that's it.
Here is the log from Malware
Malwarebytes' Anti-Malware 1.09
Database version: 563

Scan type: Quick Scan
Objects scanned: 31272
Time elapsed: 5 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\Installer\{26ca0efe-58de-403e-aa8d-e3e04e3fbf06} (Trojan.Alphabet) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\drnpfdxrls.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\altvxvm.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

And here is the result of SuperAntiSpyware
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/28/2008 at 08:13 PM

Application Version : 4.0.1154

Core Rules Database Version : 3427
Trace Rules Database Version: 1419

Scan type : Complete Scan
Total Scan Time : 00:39:46

Memory items scanned : 168
Memory threats detected : 0
Registry items scanned : 4708
Registry threats detected : 1
File items scanned : 13381
File threats detected : 0

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#zip [ {26ca0efe-58de-403e-aa8d-e3e04e3fbf06} ]

One note.
I did run into one problem.
When rebooting, my choices are XP or Recovery console.
I used msconfig to enable safemode boot to resolve this.

Thanks for your help

Sincerely,
Jim Brooks

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:43 AM

Posted 29 March 2008 - 06:14 AM

Using MSConfig to access (force) safe mode can be problematic when there is malware on your system and can make your computer unusable. Some types of malware can delete or alter the safeboot key in the registry resulting in the inability to reboot fully into safe mode or back to normal mode. If you use the /Safeboot option on the Boot.ini Tab to force safe mode when the F8 key does not work, it could have disastrous results. The Safeboot option modifies the Boot.ini file and you may be locked in a continuous reboot loop afterwards where you cannot get back to MSConfig and undo your selection.

Are you saying your only issue left is that you cannot reboot into safe mode using the F8 method?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 jbhome

jbhome
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 29 March 2008 - 09:39 PM

Well would have said that but...
I reran SuperAntiSpyware (SAS) and guess what.
Here is the result of the scan.
Further I had to go out and left it running and when I came back, WIndows was trying to kill the task and Explorer was open and locked? Black frame/background???
I ran SAS because when I tried to open explorer, it would seem not to start. When I checked for running apps/tasks, I would have several copies present. By killing the tasks and starting another explorer it would finally come up.
When I got home and noticed the state, I was able to continue/complete clearing things with SAS. I was not able to recover, even shutting down from task manager would not shut the system down so... I manually powered the system off.
Just for yucks I ran SAS when I rebooted and got problems again.
This guy is really persistent.
Thanks for sticking with me.

The thing I really find amazing is why there isn't more about this i.e. other people with the same problem and why tools like Avast that have been so reliable seem to not be aware of this.

I would like to use the F8 approach but as I pointed out, I don't get this as an option on startup.

Any suggestions?
Thanks,
Jim
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/28/2008 at 08:13 PM

Application Version : 4.0.1154

Core Rules Database Version : 3427
Trace Rules Database Version: 1419

Scan type : Complete Scan
Total Scan Time : 00:39:46

Memory items scanned : 168
Memory threats detected : 0
Registry items scanned : 4708
Registry threats detected : 1
File items scanned : 13381
File threats detected : 0

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#zip [ {26ca0efe-58de-403e-aa8d-e3e04e3fbf06} ]

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:43 AM

Posted 30 March 2008 - 06:42 AM

There are no shortcuts or guarantees when it comes to malware removal. Sometimes it takes several efforts with different tools to do the job. Even then, with some types of malware infections, the task can be arduous. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired.

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply.

Note: Since your having problems with safe mode, you may need to run SDFix in normal mode, type S then press Enter so it will change to the safe mode screen. Then type Y to start.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users