Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Alureon/DNSChanger/Malware-gen


  • Please log in to reply
15 replies to this topic

#1 nibpen

nibpen

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 23 November 2009 - 07:25 PM

I want to firstly say thanks to whoever may be assisting me :thumbsup:

I'm currently running Windows Vista Home Premium, Service Pack 2, 32-bit OS, and I use Mozilla Firefox to surf the web. Around Wednesday or Thursday last week, I ran into the Antivirus2009 and, being a fool, clicked it because I mistook it for my Windows security - more specifically, it was named "Security Tool". A bunch of files started requesting access to the internet, and this happens occasionally with my normal programs, so I allowed them at first. After the third or fourth permission, I at last began to suspect something shady, so I started denying access and shut down all my programs, and attempted to download a new anti-virus program (my Norton Symantec Internet Security had expired). I downloaded AVG Free successfully, but when I tried to install it, Security Tools froze the installation, and a continuous stream of Internet Explorer popups to an online poker/casino site would appear. Then my computer went to blue screen and said Windows was attempting to prevent damage to my computer. I rebooted, and Security Tools executed and would, after a few minutes, blue screen again. Safe mode worked fine, so I did a system restore to several days earlier.

I then went ahead and downloaded/successfully installed Avast! anti-virus (AVG Free hadn't installed, and I uninstalled my Norton Symantec), as well as Malwarebytes Anti-Malware and ran a few scans. It picked up several things, quarantined them all. Security Tools is currently quarantined. I then proceeded to do a disc cleanup and defragmentation, both of which were successful, but during the defragmentation, avast! picked up a handful of trojans. Also, around this time period (Friday to Saturday), when I would be watching DVD movies or listening to music on iTunes, an unfamiliar audio would start playing at the same time. I'm not at all sure what the audio was about, but it sounded like people just...talking and having conversations with noise in the background. When I closed the program I was currently watching/listening to, the mysterious audio would then cease. After running scans with avast!, AdAware, and MBAM, however, these mystery audios have not made a reappearance.

However, since then, I've been running into a barrage of alerts from avast! and, as of this morning, AdAware. Previously, avast! was only picking up trojans, but this morning it started detecting rootkits as well. Not to mention, since getting hit by Security Tools, log-ins to Windows are taking a few minutes longer than before and, during this wait time, the wallpaper will be a plain, blank, blue, as opposed to my usual wallpaper which was immediately displayed after logging in. I'm not sure if this is related, but I figure I might as well report everything that's been different since my system was infected by Security Tools.

Now, after I log in, a problem report will pop up and say my HP Health Check stopped working, as well as my HP Media Center Store stopped working. Also, every 5 to 20 minutes, a problem report will say my Internet Explorer stopped working. None of these happened prior to Security Tools. And lastly, only starting today, my searches results on google will randomly be redirected; for example, when I Googled BleepingComputers and clicked on the hit it gave me, I was redirected to a random site. However, clicking "Back" and then reclicking the search result, I was successfully directed to BC.

The following is my log from avast!

19/11/2009 7:43:45 PM SYSTEM 1784 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Users\Curtis\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9DFEE457-D56D-11DE-A14E-001B2461ED6A}.dat (C:\Users\Curtis\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9DFEE457-D56D-11DE-A14E-001B2461ED6A}.dat) returning error, 00000005.
19/11/2009 9:29:47 PM SYSTEM 1784 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Users\Curtis\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6DFCD0CF-D57C-11DE-A14E-001B2461ED6A}.dat (C:\Users\Curtis\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6DFCD0CF-D57C-11DE-A14E-001B2461ED6A}.dat) returning error, 00000005.
20/11/2009 11:08:23 AM SYSTEM 1984 Sign of "Win32:DNSChanger-VJ [Trj]" has been found in "C:\Users\Curtis\AppData\Local\Temp\WERD5B8.tmp.hdmp" file.
20/11/2009 11:34:22 AM SYSTEM 1984 Sign of "Win32:DNSChanger-VJ [Trj]" has been found in "C:\Users\Curtis\AppData\Local\Temp\WERA056.tmp.hdmp" file.
20/11/2009 1:06:25 PM SYSTEM 1984 Sign of "Win32:DNSChanger-VJ [Trj]" has been found in "C:\Users\Curtis\AppData\Local\Temp\WERE802.tmp.hdmp" file.
20/11/2009 1:51:26 PM SYSTEM 1984 Sign of "Win32:DNSChanger-VJ [Trj]" has been found in "C:\Users\Curtis\AppData\Local\Temp\WER1E4E.tmp.hdmp" file.
20/11/2009 2:16:33 PM SYSTEM 1984 Sign of "Win32:Delf-MBA [Trj]" has been found in "C:\749efdf128b393e8d566bde178\source.temp" file.
20/11/2009 2:29:11 PM Curtis 280 Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\Temp\fgjk4wvb.dll" file.
20/11/2009 2:29:26 PM Curtis 280 Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\Temp\VRT13C8.tmp" file.
23/11/2009 11:33:50 AM SYSTEM 1792 Sign of "Win32:Alureon-EJ [Rtk]" has been found in "C:\WINDOWS\Temp\WER4FD6.tmp.hdmp" file.
23/11/2009 12:41:03 PM SYSTEM 1840 Sign of "Win32:Alureon-EJ [Rtk]" has been found in "C:\WINDOWS\Temp\WER563C.tmp.hdmp" file.
23/11/2009 2:05:26 PM SYSTEM 1840 Sign of "Win32:Alureon-EJ [Rtk]" has been found in "C:\Users\Curtis\AppData\Local\Temp\WER9501.tmp.hdmp" file.
23/11/2009 2:18:08 PM SYSTEM 1840 Sign of "Win32:Alureon-EJ [Rtk]" has been found in "C:\Users\Curtis\AppData\Local\Temp\WER36DB.tmp.hdmp" file.
23/11/2009 2:56:31 PM SYSTEM 1840 Sign of "Win32:Alureon-EJ [Rtk]" has been found in "C:\Users\Curtis\AppData\Local\Temp\WER563E.tmp.hdmp" file.
23/11/2009 4:23:50 PM SYSTEM 1840 Sign of "Win32:Alureon-EJ [Rtk]" has been found in "C:\Users\Curtis\AppData\Local\Temp\WER4ADB.tmp.hdmp" file.
23/11/2009 4:47:24 PM SYSTEM 1840 Sign of "Win32:Alureon-EJ [Rtk]" has been found in "C:\Users\Curtis\AppData\Local\Temp\WERD7AF.tmp.hdmp" file.
23/11/2009 5:04:58 PM Curtis 1312 Sign of "Win32:Alureon-EJ [Rtk]" has been found in "C:\Users\Curtis\AppData\Local\Microsoft\Windows\WER\ReportQueue\Report08af0407\WERF78B.tmp.hdmp" file.
23/11/2009 5:05:15 PM Curtis 1312 Sign of "Win32:Alureon-EJ [Rtk]" has been found in "C:\Users\Curtis\AppData\Local\Microsoft\Windows\WER\ReportQueue\Report0d7cf098\WERE390.tmp.hdmp" file.
23/11/2009 5:05:20 PM Curtis 1312 Sign of "Win32:Alureon-EJ [Rtk]" has been found in "C:\Users\Curtis\AppData\Local\Microsoft\Windows\WER\ReportQueue\Report11deace4\WER9C72.tmp.hdmp" file.
23/11/2009 5:11:51 PM Curtis 1312 Sign of "WMA:Wimad [Drp]" has been found in "C:\Users\Curtis\Documents\LimeWire\Saved\oona-tore my heart extended version.mp3" file.
23/11/2009 5:12:08 PM Curtis 1312 Sign of "WMA:Wimad [Drp]" has been found in "C:\Users\Curtis\Documents\LimeWire\Saved\oona-tore my heart.mp3" file.
23/11/2009 5:12:16 PM Curtis 1312 Sign of "WMA:Wimad [Drp]" has been found in "C:\Users\Curtis\Documents\LimeWire\Saved\Sara Bareilles - Gravity.wma" file.
23/11/2009 5:21:22 PM SYSTEM 1840 Sign of "Win32:DNSChanger-VJ [Trj]" has been found in "C:\Users\Curtis\AppData\Local\Temp\WERF2CE.tmp.hdmp" file.
23/11/2009 5:33:14 PM Curtis 1312 Sign of "Win32:Alureon-EJ [Rtk]" has been found in "C:\WINDOWS\Temp\WER563C.tmp.hdmp" file.
23/11/2009 5:45:51 PM SYSTEM 1840 Sign of "Win32:DNSChanger-VJ [Trj]" has been found in "C:\Users\Curtis\AppData\Local\Temp\WER5D05.tmp.hdmp" file.
23/11/2009 6:14:32 PM Curtis 1312 Sign of "Win32:Alureon-EJ [Rtk]" has been found in "C:\WINDOWS\TEMP\WER563C.tmp.hdmp" file.


The following is my original log from MBAM - I've run three scans since then, and all those have turned up clean, so I'm guessing this will be the only helpful/relevant log.

Malwarebytes' Anti-Malware 1.41
Database version: 3200
Windows 6.0.6002 Service Pack 2

19/11/2009 10:13:38 PM
mbam-log-2009-11-19 (22-13-38).txt

Scan type: Full Scan (C:\|)
Objects scanned: 322429
Time elapsed: 2 hour(s), 23 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\Curtis\Desktop\Applications\Crack\keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9JNTOBMX\so[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JLMQH0HS\ms[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\VRTA65.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.


I hope this overload of information helps. I've been reading some other threads on this forum, and based on general advice about p2p security issues one BC staff member gave to someone seeking help, I uninstalled Limewire.

EDIT: I would also like to state that I'm not very tech-y. I understand computers a tiny bit, but I'm by no means a wiz. I did note that most of the alerts were being sourced from either my User/AppData/Local/Temp folder and I see other .tmp files that are similarly named to the things avast! picked up. However, when I Googled about how to clear out AppData/Local/Temp files, most of the places I looked said that it wasn't perfectly safe to delete those files because my computer might need to access some of them.

Edited by nibpen, 23 November 2009 - 07:42 PM.


BC AdBot (Login to Remove)

 


#2 Oswaltbabe

Oswaltbabe

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 23 November 2009 - 07:50 PM

I had "Security Tool" on my computer a few weeks ago and we finally got rid of it by downloading and installing the process explorer from this website and changing the name to "explorer.exe". Then run the program and delete the processes that have random numbers. Once you kill off these processes, run Malwarebytes and it should get rid of "Security Tool". However, I believe it leaves behind the google redirects and leaves you susceptible to other infections. I ignored the google redirects because I couldn't figure out a quick fix for them and now I'm infected with "advanced-virusremover2010" for which I am trying to get a solution from this forum.

Hope that helps.

#3 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:50 AM

Posted 23 November 2009 - 08:03 PM

Hi and welcome to BC

Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Next... Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#4 nibpen

nibpen
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 23 November 2009 - 08:32 PM

TFC and SmitFraudFix ran smoothly, and I noticed that after it rebooted my laptop and I logged in, the wait time was gone. The blue wallpaper has disappeared and it logs in like it used to :thumbsup:

The log of SmitFraudFix...

SmitFraudFix v2.424

Scan done at 20:25:46.58, 23/11/2009
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6002] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\vsnp2uvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Vongo\Tray.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup

hosts


C:\


C:\Windows


C:\Windows\system


C:\Windows\Web


C:\Windows\system32


C:\Windows\system32\LogFiles


C:\Users\Curtis


C:\Users\Curtis\AppData\Local\Temp


C:\Users\Curtis\Application Data


Start Menu


C:\Users\Curtis\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000000


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]




DNS

Description: NVIDIA nForce 10/100 Mbps Ethernet
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{28F058A5-ABB1-48F7-A91F-A3143EF6CC6C}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9BBF898D-8D4D-4C50-87CB-98891C247373}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{28F058A5-ABB1-48F7-A91F-A3143EF6CC6C}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9BBF898D-8D4D-4C50-87CB-98891C247373}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{28F058A5-ABB1-48F7-A91F-A3143EF6CC6C}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{9BBF898D-8D4D-4C50-87CB-98891C247373}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


Scanning for wininet.dll infection


End

There was another slight issue that arose. Right after I logged in and my normal startup applications were done loading, avast! found another Rootkit (Alureon again) in "C:\WINDOWS\Temp\WER4BEF.tmp.hdmp".

EDIT: To clarify, it logs in without wait-time like normal, but the "Internet Explorer has stopped working" still occurs.

Edited by nibpen, 23 November 2009 - 08:36 PM.


#5 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:50 AM

Posted 23 November 2009 - 09:32 PM

Great...

Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Then please update and rerun Malwarebytes... post the fresh log.

Please perform a scan with Eset Onlinescan (NOD32).
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista Users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
  • You will see the Terms of Use. Tick the check-box in front of YES, I accept the Terms of Use
  • Now click Start.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?" (OnlineScanner.cab)".
  • Answer Yes to install and download the ActiveX controls that allows the scan to run.
  • Click Start. (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, check: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan to start the online scan. (this could take some time to complete)[/color]
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software. Just close the window.
  • Now click Start > Run... > type: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad.
  • Copy and paste the log results in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn\ them back on after you are finished.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#6 nibpen

nibpen
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 24 November 2009 - 12:33 AM

Ran TFC again, it went fine and I rebooted. After logging in, the blue wallpaper/wait time was back =/ Although there wasn't any alert of Alureon traces from avast!.

Updated MBAM and ran a scan, the log is as follows...

Malwarebytes' Anti-Malware 1.41
Database version: 3221
Windows 6.0.6002 Service Pack 2

23/11/2009 22:56:01
mbam-log-2009-11-23 (22-56-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 296570
Time elapsed: 1 hour(s), 11 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Ran the ESET Online Scanner, log is as follows...

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=55f12ffb23c6094c891720de24645f3a
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-24 05:25:16
# local_time=2009-11-24 12:25:16 (-0500, Eastern Standard Time)
# country="Canada"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=769 16775165 100 98 0 194391481 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776637 100 100 0 95643055 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=193170
# found=2
# cleaned=2
# scan_time=4788
C:\Users\Curtis\Documents\LimeWire\Saved\oona-tore my heart extended version.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Users\Curtis\Documents\LimeWire\Saved\oona-tore my heart.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C


I guess I should let you know, just in case, that after running TFC and rebooting my computer, my computer clock in the system tray changed from 12 hour format to 24 hour format by itself. I haven't changed it back yet.

EDIT: And, just letting you know, I have re-enabled my real time protection on Windows Defender and avast!. The "Internet Explorer has stopped working" is still going off every so often, though. Looking around at other people's threads (and searching it on Google once), it looks like it might have been part of some "iexplore.exe" virus that plays random audio files? Is there anything I can do to stop getting this alert? I don't even use IE - using IE to run the ESET scan was probably the first time I've used IE in months - and it's a bit annoying to keep having it pop up on my screen.

Edited by nibpen, 24 November 2009 - 01:35 AM.


#7 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:50 AM

Posted 24 November 2009 - 07:39 AM

You can change your clock back... and enable your anti-virus between runs. We need to keep your protected. The infection is still present and that is what is causing your pop-ups. We will fix it, but it will take a bit of scanning yet.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#8 nibpen

nibpen
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 24 November 2009 - 01:59 PM

When I booted up my laptop this morning, I got an alert from avast! about another Alureon rootkit at "C:\WINDOWS\ServiceProfiles\NetworkService\AppData\Local\Temp\WER3228.tmp.hdmp". Quarantined it.

Downloaded SAS and installed/updated/set it up as you directed. When I clicked "Reboot" from the Start menu, though, my computer went to blue screen and it said something about a "PAGE FAULT" or...something similar. I forgot to copy it down, so I'm not even close to 100% sure it was that error reason. Went into Safe Mode and ran SAS.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/24/2009 at 01:46 PM

Application Version : 4.31.1000

Core Rules Database Version : 4308
Trace Rules Database Version: 2173

Scan type : Complete Scan
Total Scan Time : 01:28:27

Memory items scanned : 299
Memory threats detected : 0
Registry items scanned : 8698
Registry threats detected : 0
File items scanned : 193881
File threats detected : 8

Adware.Tracking Cookie
C:\Users\Curtis\AppData\Roaming\Microsoft\Windows\Cookies\curtis@atdmt[2].txt
C:\Users\Curtis\AppData\Roaming\Microsoft\Windows\Cookies\curtis@hitbox[2].txt
C:\Users\Curtis\AppData\Roaming\Microsoft\Windows\Cookies\curtis@ehg-eset.hitbox[2].txt
C:\Users\Curtis\AppData\Roaming\Microsoft\Windows\Cookies\curtis@collective-media[2].txt
C:\Users\Curtis\AppData\Roaming\Microsoft\Windows\Cookies\curtis@atdmt[3].txt
C:\Users\Curtis\AppData\Roaming\Microsoft\Windows\Cookies\curtis@ads.bleepingcomputer[1].txt
C:\Users\Curtis\AppData\Roaming\Microsoft\Windows\Cookies\curtis@atdmt[1].txt

Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\SYSTEMRESTORE\FRSTAGING\USERS\CURTIS\DESKTOP\APPLICATIONS\CRACK\KEYGEN.EXE


Regarding the keygen that SAS found, I had already deleted/emptied recycling bin before the original post here on BC. I guess my system restore saved a copy of it? And thanks for all the help so far, by the way :thumbsup:

EDIT: I just got another error report window (similar to the Internet Explorer ones I've been receiving) saying that "CEEment" has stopped working.

Edited by nibpen, 24 November 2009 - 02:20 PM.


#9 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:50 AM

Posted 24 November 2009 - 03:43 PM

That works. You know keygens are bad for you computer's health. A lot of infections are caused by the usage.

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#10 nibpen

nibpen
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 24 November 2009 - 04:34 PM

I'd actually completely forgotten about the keygen until the scanners detected it because I didn't make any use of it. And now it's gone and I definitely know not go to looking for any similar objects again :thumbsup: Disabled the real time protection services (they are now re-enabled) and ran Gmer.

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-24 16:31:23
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Curtis\AppData\Local\Temp\pwryrpow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys ZwTerminateProcess [0x91E750B0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 621 820F7D64 4 Bytes [B0, 50, E7, 91] {MOV AL, 0x50; OUT 0x91, EAX}
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8BE0D340, 0x3FA057, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\services.exe[676] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00020002
IAT C:\Windows\system32\services.exe[676] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00020000
IAT C:\Windows\Explorer.EXE[2584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74107817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7415A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7410BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [740FF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [741075E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [740FE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74138395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7410DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [740FFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [740FFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [740F71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7418CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7412C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [740FD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [740F6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [740F687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74102AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device -> \Driver\nvstor32 \Device\Harddisk0\DR0 85001369

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\nvstor32.sys suspicious modification

---- EOF - GMER 1.0.15 ----


EDIT: I'm getting more redirects on Google now. It's still not every single time, but it's occurring more often.

Edited by nibpen, 24 November 2009 - 10:22 PM.


#11 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:50 AM

Posted 25 November 2009 - 11:35 PM

Hmmm let's try one more thing

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#12 nibpen

nibpen
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 26 November 2009 - 11:43 AM

Erm, I don't know if Gooredfix worked like it's supposed to since it finished in about a second. I closed everything and ran it as admin, it prompted me to scan, I clicked yes, and almost immediately the log popped up. Did I miss anything or do something wrong?

GooredFix by jpshortstuff (26.11.09.1)
Log created at 11:34 on 26/11/2009 (Curtis)
Firefox version 3.5.5 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [20:31 12/04/2009]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [00:48 16/02/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [01:30 25/03/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [20:37 29/09/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [03:26 20/11/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [21:01 03/02/2009]

-=E.O.F=-


I looked at my Problem Reports and Solutions in the Control Panel, and the IE (iexplore.exe) that keeps shutting down shows the properties of...

Problem signature
Problem Event Name: APPCRASH
Application Name: iexplore.exe
Application Version: 8.0.6001.18828
Application Timestamp: 4a9600c9
Fault Module Name: USER32.dll
Fault Module Version: 6.0.6002.18005
Fault Module Timestamp: 49e03821
Exception Code: c0000142
Exception Offset: 00009eed
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 4105
Additional Information 1: 9d13
Additional Information 2: 1abee00edb3fc1158f9ad6f44f0f6be8
Additional Information 3: 9d13
Additional Information 4: 1abee00edb3fc1158f9ad6f44f0f6be8

Extra information about the problem
Bucket ID: 1505662401

Does any of that help? avast! hasn't caught any Trojans or Rootkits since the last one I reported on the 24th, so is the only problem left the iexplore.exe?

#13 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:50 AM

Posted 26 November 2009 - 07:59 PM

It looks like it. Try reinstalling IE8

GooredFix does run quickly. The tool looks for a specific thing.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#14 nibpen

nibpen
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 26 November 2009 - 11:34 PM

I'm already running IE8.

What should I do next? I'm getting search engine redirects very frequently now.

EDIT: Almost forgot to mention that avast! picked up a download ("kariboka.com/documents/?s=575") I didn't even see a request for and had no intentions of even running into. I was on Google looking up info on Physical Memory versus Computer Usage (my computer usage is currently fairly low and yet my physical memory stays at roughly 50%, when my task bar is clear of programs/applications) and avast! suddenly reported this download. It was for a Trojan called "JS: Downloader-FT[Trj]" with a VPS of 091126. Avast! allowed me to abort the download connection, so I don't think anything came of it.

Edited by nibpen, 26 November 2009 - 11:43 PM.


#15 nibpen

nibpen
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 30 November 2009 - 01:20 PM

Sorry, I had earlier re-read your post to notice it said "reinstall" and not "install" but I wasn't able to get to my computer very much this past weekend.

I uninstalled IE8 and redownloaded a new one from the Microsoft site, but before I reinstalled it, I got another error message. This one was different, though, and it says "The application failed to initialize properly (0xc0000142). Click OK to terminate the application." With 'the application' being iexplore.exe. Should I continue and reinstall ie8? I'm not sure how the search engine redirects are doing, but now occasionally when I type in a URL in the address bar (in Firefox), I'll get a new tab that pops up that goes to an online casino site.

Edited by nibpen, 30 November 2009 - 01:21 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users