Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirections, McAfee update error and McAfee website blocked


  • Please log in to reply
6 replies to this topic

#1 mikey24

mikey24

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 21 April 2009 - 05:18 PM

Hi - would be very grateful of some help! Running XP Media Center Edition, Version 2002, SP3. Using IE7 primarily, but also Firefox 3. :

In IE, although it doesnt happen all the time, Google often re-directs to various ad-sites, although the correct site can be reached by clicking Back. It will not let me access the McAfee website - giving a "HTTP 501 Not Implemented or HTTP 505 Version Not Supported" error. Firefox randomly crashes and re-starts every now and then and gives a blank page with "The specified method is not supported" for McAfee.

McAfee Security Centre does not start up automatically any more on startup even though I havent changed any settings. When the program is opened from the desktop it states the detection signiture is out of date, however when I try to update, it appears to try before giving an update error and telling me to reinstall McAfee Internet Security (which I can't do because I cant access the website!).

Having looked at several topics on here and other boards, I have tried doing the following scans with the respective results - all without any success:

SUPERAntiSpyware, first scan:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/21/2009 at 01:23 AM

Application Version : 4.26.1000

Core Rules Database Version : 3854
Trace Rules Database Version: 1806

Scan type : Complete Scan
Total Scan Time : 01:29:29

Memory items scanned : 674
Memory threats detected : 0
Registry items scanned : 7459
Registry threats detected : 0
File items scanned : 39047
File threats detected : 580

Adware.Tracking Cookie
(I have deleted these from the copy/paste as there were over 500!)

Trojan.Unclassified
C:\WINDOWS\SYSTEM32\MPFSERVICEFAILURECOUNT.TXT

Trace.Known Threat Sources
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\KI4LE0WF\images[2].jpg
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\IYOARQ78\images[5].jpg
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\EEMOT2X8\images[1].jpg
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\SLABO92G\images[9].jpg
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\PVQT23V9\images[7].jpg
_____________________________________________________________________________________________________

I then did a scan with MBAM:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

21/04/2009 02:00:34
mbam-log-2009-04-21 (02-00-34).txt

Scan type: Quick Scan
Objects scanned: 102437
Time elapsed: 19 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

_____________________________________________________________________________________________________

When neither worked I did a scan with DrWeb-Cureit:

1-10 Professional Widow [Armand's St.m4a;C:\Documents and Settings\Mike\My Documents\My Music\iTunes\iTunes Music\Compilations\Ibiza Uncovered Vol. 1 [Disc 1];Modification of Win32.Yasv.924;Moved.;
CFD.exe;C:\Program Files\BroadJump\Client Foundation;Adware.Cfd;Moved.;
DialerOEM.exe;C:\Program Files\Tiscali\Tiscali Internet;Trojan.Swizzor.based;Deleted.;
A0060319.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP830;Trojan.Swizzor.based;Deleted.;

_____________________________________________________________________________________________________

As this again didnt work, I ran ATF-Cleaner, and attempted to run SDFix, however couldn't get it to run in safe mode. I then ran SUPERAntiSpyware and MBAM in safe mode, re-booting after each process:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/21/2009 at 03:41 PM

Application Version : 4.26.1000

Core Rules Database Version : 3854
Trace Rules Database Version: 1806

Scan type : Complete Scan
Total Scan Time : 01:10:31

Memory items scanned : 265
Memory threats detected : 0
Registry items scanned : 7489
Registry threats detected : 0
File items scanned : 140913
File threats detected : 0

_____________________________________________________________________________________________________

Malwarebytes' Anti-Malware 1.36
Database version: 2015
Windows 5.1.2600 Service Pack 3

21/04/2009 22:18:57
mbam-log-2009-04-21 (22-18-57).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 233153
Time elapsed: 1 hour(s), 27 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

_____________________________________________________________________________________________________

So here I am - the problems still persist. I have tried to run DDS, however all that happens is the black box flashes up on screen and dissapears without doing anything.

Any ideas?!

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:14 AM

Posted 21 April 2009 - 08:25 PM

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 mikey24

mikey24
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 22 April 2009 - 04:12 PM

Here is the RootRepeal scan result:

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/22 20:51
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_iastor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iastor.sys
Address: 0xEBC15000 Size: 749568 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEEC58000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_bE9m0bdzivTN8U9
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_EjdaMFhuT1uuJhH
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_habOf4H2SZ5ZSDf
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_kaRW7U1Yit1hGbU
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_LpPVqYLeWoMbhh7
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_MR26Rd8jRp7Vosy
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_PgvclIasatIO4VG
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_qH20Hj7wDzRYtx7
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_0S1sNCow57iMHqW
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_2M1Eo8TnWb04oBo
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Messenger\mike_long42@hotmail.com\SharingMetadata\havardsamantha@hotmail.com\DFSR\Staging\CS{D49F8310-2542-069B-BC2B-21B73DB8A248}\01\10-{D49F8310-2542-069B-BC2B-21B73DB8A248}-v1-{563BEDAB-49F9-48D7-960D-88E35697D383}-v10-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Program Files\Common Files\AOL\1176420174\ee\services\sysinfo\ver2_1_1_4\resources\en-GB\ui\core\script\HTMLComposer.js:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Handle [Index: 308, Type: Event]
Process: Rundll32.exe (PID: 556) Address: 0x84f3a528 Size: -

Object: Hidden Handle [Index: 344, Type: Mutant]
Process: Rundll32.exe (PID: 556) Address: 0x84f052a0 Size: -

Object: Hidden Handle [Index: 368, Type: Event]
Process: Rundll32.exe (PID: 556) Address: 0x84ea31a8 Size: -

Object: Hidden Handle [Index: 376, Type: Event]
Process: Rundll32.exe (PID: 556) Address: 0x84ed8208 Size: -

Object: Hidden Handle [Index: 392, Type: Key]
Process: Rundll32.exe (PID: 556) Address: 0xe1a43518 Size: -

Object: Hidden Handle [Index: 400, Type: Mutant]
Process: Rundll32.exe (PID: 556) Address: 0x84ef5978 Size: -

Object: Hidden Handle [Index: 440, Type: Mutant]
Process: Rundll32.exe (PID: 556) Address: 0x84fb5b00 Size: -

Object: Hidden Handle [Index: 560, Type: File]
Process: Rundll32.exe (PID: 556) Address: 0x8567cf90 Size: -

Object: Hidden Handle [Index: 576, Type: Mutant]
Process: Rundll32.exe (PID: 556) Address: 0x84ea2540 Size: -

Object: Hidden Handle [Index: 588, Type: Event]
Process: Rundll32.exe (PID: 556) Address: 0x84ebd528 Size: -

Object: Hidden Handle [Index: 600, Type: Event]
Process: Rundll32.exe (PID: 556) Address: 0x84ea16e0 Size: -

#4 mikey24

mikey24
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 22 April 2009 - 05:14 PM

As none of the results are as described in the tutorial what do I do now?!

#5 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:14 AM

Posted 22 April 2009 - 07:56 PM

Please locate and submit this file to Jotti's = > http://www.jotti.org

C:\WINDOWS\Temp\sqlite_bE9m0bdzivTN8U9

Please post the results of the scan.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#6 mikey24

mikey24
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 23 April 2009 - 02:22 AM

Service load: 0% 100%

File: sqlite_bE9m0bdzivTN8U9
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: e2f2afa6b1027b3da53def937995ca67
Packers detected: -

Scanner results
Scan taken on 23 Apr 2009 06:41:06 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

_____________________________________________________________________________________________________

As that was the result, I ran the other Hidden/Locked files from the RootRepeal scan, all giving the same result except ...\sqlite_kaRW7U1Yit1hGbU which didn't appear in the Temp folder; when I manually typed the file name into the upload box and clicked submit, the following message came up:

"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

#7 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:14 AM

Posted 23 April 2009 - 06:44 AM

At this point, I feel you have exhausted everything you can do in this forum. I don't see anything standing out as malware. I would suggest moving to the HJT/Malware forum and posting a log there. They have more advanced tools that can be used.

Please follow [url="http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/""]HJT forum[/url] and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know.

Edited by rigel, 23 April 2009 - 06:46 AM.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users