Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with thefeedwater browser redirect


  • Please log in to reply
10 replies to this topic

#1 flyboy_ont

flyboy_ont

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 08 November 2009 - 10:32 AM

Some backgrund to the infection. I accidentally click on an ad on a site I visit a lot. A couple minutes later I had the Advanced Virus Remover infection. I used Norton Antivirus, Windows Defender and Malwarebytes to remove the infection. I was successful in removing the fake GUI and the Trojan warnings disappeared from Norton. It appears I am still infected with 'THEFEEDWATER' browser hijack as everytime I click on a google search link it goes somewhere else. Everytime I use Malwarebytes to remove the 'nasties', they just replicate themselves and the hijack is back.

I am using XP PRO SP2 64 bit. I keep the OS up to date in updates and virus definitions up to date.

I'd really appreciate help in removing this pain in the #$%.

Thank you in advance.

BC AdBot (Login to Remove)

 


#2 D_N_M

D_N_M

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:11 PM

Posted 08 November 2009 - 11:02 AM

Hello flyboy_ont

Please try this http://www.superantispyware.com/?rid=3324
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post 2 logs and Let us know how the PC is running now.

{credits to boopme}


Thanks

D_N_M

#3 flyboy_ont

flyboy_ont
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 08 November 2009 - 11:44 AM

Thank you so much for your reply. First off I can not go into safemode. If I f8 at statup it cycles on reboot. If I set safemode through msconfig, it also cyles through reboot(keeps rebooting). I tried the msconfig method already and it just kept rebooting. I had to modify the BOOT.INI file to remove the saemode switch.

#4 D_N_M

D_N_M

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:11 PM

Posted 08 November 2009 - 12:06 PM

Hello flyboy_ont

Could you please update run a quik sacn and post a log from the MBAM

Thank you

D_N_M

#5 flyboy_ont

flyboy_ont
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 08 November 2009 - 02:44 PM

Sorry took so long, had family matter to attend to. Anyways here is the log

Malwarebytes' Anti-Malware 1.41
Database version: 3129
Windows 5.2.3790 Service Pack 2

11/8/2009 2:38:09 PM
mbam-log-2009-11-08 (14-38-09).txt

Scan type: Quick Scan
Objects scanned: 104969
Time elapsed: 2 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\Ken\ntuser.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Downloader) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Ken\ntuser.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Ken\Start Menu\Programs\Startup\scandisk.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ken\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ken\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.


Also read somewhere that there is a file in my Documnts and Settings folder, nsrbgxod.bak, that might a culprit. It's there but locked due to process use.

#6 flyboy_ont

flyboy_ont
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 09 November 2009 - 07:25 AM

I don't know how I did it but I think I'm clean. Here's a quick scan of malwarebytes

Malwarebytes' Anti-Malware 1.41
Database version: 3132
Windows 5.2.3790 Service Pack 2

11/9/2009 7:23:37 AM
mbam-log-2009-11-09 (07-23-37).txt

Scan type: Quick Scan
Objects scanned: 105220
Time elapsed: 3 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Should I do anything further?

#7 guitardude1

guitardude1

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 09 November 2009 - 04:55 PM

hey, i'm having the same problem and now my bomputer is cycling through reboots. i have no idea how to modify that boot file, can someone help me?

#8 flyboy_ont

flyboy_ont
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 09 November 2009 - 05:15 PM

I could help you but it might be wise if you could get help from one of the pros here. I think that is one of the requirements of the site.

#9 D_N_M

D_N_M

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:11 PM

Posted 11 November 2009 - 12:51 AM

Hello guitardude1
Please start your own thread as it will only cause confusion.

Thank You

D_N_M

flyboy_ont
your log looks clean are you having any other problems with the PC?
Please let us know.

Thank you

D_N_M

Edited by D_N_M, 11 November 2009 - 12:57 AM.


#10 flyboy_ont

flyboy_ont
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 16 November 2009 - 09:12 AM

Sorry I didn't notice your last reply. The only problem I have is not being able to boot into safe mode. Been trying to figure it out myself, but no idea what to do next.

#11 flyboy_ont

flyboy_ont
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 19 November 2009 - 09:10 AM

I have continued this thread at

http://www.bleepingcomputer.com/forums/t/272359/can-not-boot-into-safe-mode/

hopefully to resolve SAFE MODE problem.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users