Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to remove infection involving C:\resycled\boot.com


  • Please log in to reply
11 replies to this topic

#1 mbrookes

mbrookes

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 18 December 2008 - 08:18 AM

Hi, im not sure what to describe but ill try lol

I was installing a program that that Ive installed before (convertx2dvd), but halfway through the installation it attempted to install something else as well (something along the lines of extravideo which is not related), even though i canceled it immediately i am now infected with something which is redirecting my search results randomly. I have used spybot which comes up with 3 results (C:\resycled\boot.com - C:\resycled\ - C:\autorun.inf) under the classification Win32.Agent.SD, but it only removes the directory containing boot.com, and that directory returned (empty now though). I have tried to delete autorun.inf myself but it immediately reappears! Its very frustrating as I have just got my new laptop how i wanted and dont want to reinstall everything.

Im using Windows Vista Home Premium.

The program I downloaded that seemed to cause this did actually install the program I wanted, it just also attempted to randomly put something else on as well. I cant guarantee that it was definitely the cause though :thumbsup: (I still have the file if its any help)

If I have missed anything out, im a novice in this area so just let me know and ill rectify it.

Thanks for your time,

Michael

BC AdBot (Login to Remove)

 


m

#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 18 December 2008 - 08:32 AM

Hi Michael,

Welcome here. :thumbsup:

1. Download FlashDisinfector: http://www.techsupportforum.com/sectools/s...Disinfector.exe to your desktop.
Run it from there.

2. Restart your computer.

3. Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

#3 mbrookes

mbrookes
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 18 December 2008 - 02:41 PM

Hi, thanks for the response. When i ran flash disinfector and then restarted I got a blue screen but it then started up fine. I couldnt update malwarebytes when I first ran it - and the link you gave was not working (it just goes to http://slirsredirect.search.aol.com/slirs_...Fmbam-rules.exe and does nothing) so I ran it without updating. When I restarted and had another look I realised there were 2 update options and the other worked so I ran it again. Ill put both logs below. Sorry If this is confusing or wrong, I wasnt sure what to do. It did find more after updating.

After running these the browser is still redirecting (dont know if its supposed to be or not).

First log without updating:

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 6.0.6001 Service Pack 1

18/12/2008 19:05:41
mbam-log-2008-12-18 (19-05-41).txt

Scan type: Quick Scan
Objects scanned: 42149
Time elapsed: 1 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.106;85.255.112.73 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c781443c-eb33-41e0-9e01-2fee8690e02c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.106;85.255.112.73 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.106;85.255.112.73 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c781443c-eb33-41e0-9e01-2fee8690e02c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.106;85.255.112.73 -> Delete on reboot.

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)


Second log after succesful update:

Malwarebytes' Anti-Malware 1.31
Database version: 1516
Windows 6.0.6001 Service Pack 1

18/12/2008 19:18:05
mbam-log-2008-12-18 (19-18-05).txt

Scan type: Quick Scan
Objects scanned: 43109
Time elapsed: 1 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.106;85.255.112.73 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c781443c-eb33-41e0-9e01-2fee8690e02c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.106;85.255.112.73 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.106;85.255.112.73 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c781443c-eb33-41e0-9e01-2fee8690e02c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.106;85.255.112.73 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.106;85.255.112.73 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{c781443c-eb33-41e0-9e01-2fee8690e02c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.106;85.255.112.73 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\System32\msqpdxwqsctmei.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\System32\drivers\msqpdxnbcbcrrx.sys (Trojan.Agent) -> Quarantined and deleted successfully.

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 18 December 2008 - 02:52 PM

Hi,

Please reboot your pc now, if you didn't already do it. :thumbsup:

Then, do this:
Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

#5 mbrookes

mbrookes
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 19 December 2008 - 04:38 AM

Hi I have run the scan, the results are below,

Thanks

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, December 19, 2008
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, December 19, 2008 04:54:32
Records in database: 1479562
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 129727
Threat name: 3
Infected objects: 2
Suspicious objects: 1
Duration of the scan: 01:20:59


File name / Threat name / Threats count
C:\Program Files\Mozilla Firefox 3.1 Beta 2\components\iamfamous.dll Infected: Trojan.Win32.Agent.avjo 1
C:\Users\Michael A Brookes\AppData\Local\Temp\tmp1C77.tmp Infected: Trojan.Win32.Agent.asxa 1
C:\Users\Michael A Brookes\AppData\Local\Temp\tmp1C78.tmp Suspicious: Trojan.Win32.Patched.dy 1

The selected area was scanned.

#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 19 December 2008 - 04:56 AM

Open Notepad.
Copy this in the Notepad-file:

@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
"C:\Users\Michael A Brookes\AppData\Local\Temp\tmp1C77.tmp"
"C:\Users\Michael A Brookes\AppData\Local\Temp\tmp1C78.tmp") DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
START NOTEPAD.EXE log.txt

Go to File - Save as...
Fill in the next values:
Location: Desktop
File name: del.bat
File type: All files (*.*).
Now, click Save.
Doubleclick del.bat.
Post the contents of the logfile that opens in your next reply.

#7 mbrookes

mbrookes
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 19 December 2008 - 07:23 AM

Hi, here are the contents of the logfile.


Deleting files
"C:\Users\Michael A Brookes\AppData\Local\Temp\tmp1C77.tmp" deleted
"C:\Users\Michael A Brookes\AppData\Local\Temp\tmp1C78.tmp" deleted

#8 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 19 December 2008 - 07:24 AM

Hi,

You can delete del.bat.
Do you still have problems? :thumbsup:

#9 mbrookes

mbrookes
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 19 December 2008 - 08:05 AM

Ive checked both ie and firefox and firefox is still redirecting. ie is fine though. Will the firefox problem have anything to do with the iamfamous.dll that was listed in the kaspersky report?

Thanks, Michael

#10 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 19 December 2008 - 08:07 AM

Delete this file:
C:\Program Files\Mozilla Firefox 3.1 Beta 2\components\iamfamous.dll

Does FireFox still redirect?

#11 mbrookes

mbrookes
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 19 December 2008 - 09:26 AM

No, everything seems to be fine now :thumbsup: Thanks for your help, I appreciate it.

Have a good christmas and new year,

Michael

#12 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 19 December 2008 - 09:28 AM

Hi,

Everything looks clean again. :thumbsup:
Do this:

1. Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
2. Go to the Windows update site and download and install all available updates, so your computer is prtected against malware.

3. Read this page To prevent yourself against re-infection.

You can delete all used tools and programs. (You can keep MBAM)

You also have a good christmas and a happy newyear. :flowers:

Edited by superbird, 19 December 2008 - 09:28 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users