Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser opens itself multiple times


  • Please log in to reply
26 replies to this topic

#1 David0153

David0153

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norfolk, UK
  • Local time:04:42 PM

Posted 01 December 2009 - 05:33 PM

My default search engine is Internet Explorer 8 and my Google homepage has started opening itself multiple times unexpectedly whenever I try to perform any actions. I ran Malwarebytes full scan, which I do daily and it found 18 items including multiple instances of Backdoor.bot I removed them and all seemed fine, but tonight it started again. I ran Malwarebytes again it found nothing. I tried researching the internet, without real success, I did find some links which looked useful, but when I tried to open them I was directed to the wrong site. I also use Google Chrome which has started opening blank pages alongside the page I am opening. Help please am I infected?

When I tried to post this topic it opened my google homepage opened again.

Edited by David0153, 01 December 2009 - 05:35 PM.

Never let a dark past cloud a bright future

“It is from numberless diverse acts of courage and belief that human history is shaped. Each time a man stands up for an ideal, or acts to improve the lot of others, or strikes out against injustice, he sends forth a tiny ripple of hope.” Robert Francis Kennedy

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:42 PM

Posted 01 December 2009 - 10:16 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:42 PM

Posted 01 December 2009 - 10:34 PM

Hello and welcome.. Please post the 2 MBAM logs so we can see what ws found and removed.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Please download TFC by Old Timer and save it to your desktop.
alternate download link
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 David0153

David0153
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norfolk, UK
  • Local time:04:42 PM

Posted 02 December 2009 - 08:43 AM

Hi boopme

Thanks for responding. Here are my last malwarebytes logs:

Malwarebytes' Anti-Malware 1.41
Database version: 3267
Windows 5.1.2600 Service Pack 3

01/12/2009 15:47:17
mbam-log-2009-12-01 (15-47-17).txt

Scan type: Quick Scan
Objects scanned: 113697
Time elapsed: 5 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.


Malwarebytes' Anti-Malware 1.41
Database version: 3267
Windows 5.1.2600 Service Pack 3

01/12/2009 15:56:43
mbam-log-2009-12-01 (15-56-43).txt

Scan type: Quick Scan
Objects scanned: 113608
Time elapsed: 6 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Malwarebytes' Anti-Malware 1.41
Database version: 3269
Windows 5.1.2600 Service Pack 3

02/12/2009 12:45:38
mbam-log-2009-12-02 (12-45-38).txt

Scan type: Quick Scan
Objects scanned: 117334
Time elapsed: 7 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I have downloaded TFC and SUPERantispyware and am about to follow your instructions.
Never let a dark past cloud a bright future

“It is from numberless diverse acts of courage and belief that human history is shaped. Each time a man stands up for an ideal, or acts to improve the lot of others, or strikes out against injustice, he sends forth a tiny ripple of hope.” Robert Francis Kennedy

#5 David0153

David0153
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norfolk, UK
  • Local time:04:42 PM

Posted 02 December 2009 - 09:14 AM

I am unable to start laptop in safe mode.I do have HP Credential Manager and Fingerprint sensor insalled could it be this?

Thanks again
Never let a dark past cloud a bright future

“It is from numberless diverse acts of courage and belief that human history is shaped. Each time a man stands up for an ideal, or acts to improve the lot of others, or strikes out against injustice, he sends forth a tiny ripple of hope.” Robert Francis Kennedy

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:42 PM

Posted 02 December 2009 - 11:32 AM

Can you get in to safe mode with command prompt?
See if you can, type C:\windows\system32\restore\rstrui.exe in to the command prompt and press return. This should allow you to run system restore to an earlier date.


A note about these backdoor bots,

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 David0153

David0153
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norfolk, UK
  • Local time:04:42 PM

Posted 02 December 2009 - 02:59 PM

Hi cannot get into safe mode whatever option I select I get a message saying sorry for the inconvenience no can do and resorts to normal start. I ran SUPERAntispyware anyway because your last message spooked me and it found 38 items.
I have attached log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/02/2009 at 05:43 PM

Application Version : 4.31.1000

Core Rules Database Version : 4327
Trace Rules Database Version: 2182

Scan type : Complete Scan
Total Scan Time : 00:36:58

Memory items scanned : 482
Memory threats detected : 0
Registry items scanned : 6519
Registry threats detected : 23
File items scanned : 38931
File threats detected : 15

Adware.HBHelper
HKLM\Software\Classes\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32#ThreadingModel
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID
HKCR\URLSearchHook.ToolbarURLSearchHook.1
HKCR\URLSearchHook.ToolbarURLSearchHook.1\CLSID
HKCR\URLSearchHook.ToolbarURLSearchHook
HKCR\URLSearchHook.ToolbarURLSearchHook\CLSID
HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}
HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0
HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0
HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32
HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS
HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR
C:\PROGRAM FILES\ANTBAR\ANT.COM TOOLBAR\TBHELPER.DLL

Adware.Tracking Cookie
C:\Documents and Settings\User\Cookies\user@rts.pgmediaserve[2].txt
C:\Documents and Settings\User\Cookies\user@partypoker[2].txt
C:\Documents and Settings\User\Cookies\user@ads.ft[2].txt
C:\Documents and Settings\User\Cookies\user@clickarrows[1].txt
C:\Documents and Settings\User\Cookies\user@media.brandreachsys[2].txt
C:\Documents and Settings\User\Cookies\user@mediatraffic[1].txt
C:\Documents and Settings\User\Cookies\user@revsci[2].txt
C:\Documents and Settings\User\Cookies\user@collective-media[1].txt
C:\Documents and Settings\User\Cookies\user@azjmp[2].txt
C:\Documents and Settings\User\Cookies\user@www.googleadservices[1].txt
C:\Documents and Settings\User\Cookies\user@myroitracking[1].txt
C:\Documents and Settings\User\Cookies\user@serving.adsrevenue.clicksor[2].txt
C:\Documents and Settings\User\Cookies\user@ad2.doublepimp[1].txt

Browser Hijacker.Deskbar
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib#Version

Launchurl
C:\PROGRAM FILES\TRIGOLD\PROSPECTOR\LAUNCHURL.EXE
Never let a dark past cloud a bright future

“It is from numberless diverse acts of courage and belief that human history is shaped. Each time a man stands up for an ideal, or acts to improve the lot of others, or strikes out against injustice, he sends forth a tiny ripple of hope.” Robert Francis Kennedy

#8 David0153

David0153
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norfolk, UK
  • Local time:04:42 PM

Posted 02 December 2009 - 03:17 PM

Just had a thought my problems started when I downloaded an application called AntToolbar, during the download it directed me to another site which I had great difficulty closing. Once installed I uninstalled and although only an empty folder was left in c:/programs it is still showing in the SUPERAntispyware log. Don't know if this helps.

Edited by David0153, 02 December 2009 - 03:18 PM.

Never let a dark past cloud a bright future

“It is from numberless diverse acts of courage and belief that human history is shaped. Each time a man stands up for an ideal, or acts to improve the lot of others, or strikes out against injustice, he sends forth a tiny ripple of hope.” Robert Francis Kennedy

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:42 PM

Posted 02 December 2009 - 03:21 PM

Ok please do one more
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Do you have your XP disk as we may need to do a Repair instaal to fix Safe Mode
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:42 PM

Posted 02 December 2009 - 03:26 PM

Sounds like it was abad install ..if the folder is empty delete it.
You can also try a System restore do a day before this happened. That may bring back Safe Mode. it will possible bring back the malware so you will need to start scanning all over again.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 David0153

David0153
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norfolk, UK
  • Local time:04:42 PM

Posted 02 December 2009 - 03:34 PM

Hi boopme,

MBAM log:

Malwarebytes' Anti-Malware 1.41
Database version: 3281
Windows 5.1.2600 Service Pack 3

02/12/2009 20:28:24
mbam-log-2009-12-02 (20-28-24).txt

Scan type: Quick Scan
Objects scanned: 112316
Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I have XP disc service pack 2. Am still getting multiple homepages opening.

I will reboot now.
Never let a dark past cloud a bright future

“It is from numberless diverse acts of courage and belief that human history is shaped. Each time a man stands up for an ideal, or acts to improve the lot of others, or strikes out against injustice, he sends forth a tiny ripple of hope.” Robert Francis Kennedy

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:42 PM

Posted 02 December 2009 - 03:39 PM

We will need to run these 2 also in normal i presume.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


Drweb-cureit This is a long one.
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 David0153

David0153
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norfolk, UK
  • Local time:04:42 PM

Posted 02 December 2009 - 04:07 PM

Hi RootRepeal report:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/02 20:45
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA1E12000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\user\local settings\temp\~df7c1e.tmp
Status: Allocation size mismatch (API: 24576, Raw: 0)

Path: c:\documents and settings\user\local settings\temp\~dfba0.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\User\Local Settings\Temp\1BDHB8Q0.htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\User\Local Settings\Temp\3MMUPIW2.htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\User\Local Settings\Temp\6HXZKTK2.htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\User\Local Settings\Temp\DMJ9RI0Z.htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\User\Local Settings\Temp\NIAP3K5T.htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\User\Local Settings\Temp\QY2FS1WA.htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\User\Local Settings\Temp\W9NN3OMC.htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\User\Local Settings\Temp\YB1NTSGX.htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\User\Local Settings\Apps\2.0\QHZ0N7PG.6MQ\Y52J9EM9.8PL\goog...app_9a8dfcd080ccb114_0001.0002_176ee8b366501ff4\clic...exe_9a8dfcd080ccb114_0001.0002_none_19406d71b53cc551.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Apps\2.0\QHZ0N7PG.6MQ\Y52J9EM9.8PL\goog...app_9a8dfcd080ccb114_0001.0002_176ee8b366501ff4\clic...exe_9a8dfcd080ccb114_0001.0002_none_19406d71b53cc551.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba91887e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba918bfe

==EOF==

Have downloaded Dr.Web CureIt, but cannot run in Safe Mode should I run in normal mode?
Never let a dark past cloud a bright future

“It is from numberless diverse acts of courage and belief that human history is shaped. Each time a man stands up for an ideal, or acts to improve the lot of others, or strikes out against injustice, he sends forth a tiny ripple of hope.” Robert Francis Kennedy

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:42 PM

Posted 02 December 2009 - 04:13 PM

man thought for sure there'd be a rootkit. nope.
Yes run it normal I am hoping we can still remove the blocker
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 David0153

David0153
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norfolk, UK
  • Local time:04:42 PM

Posted 02 December 2009 - 07:18 PM

Hi again boopme,

Dr Web report:

Process in memory: C:\Program Files\AVG\AVG9\avgcsrvx.exe:308;;BackDoor.Tdss.565;Eradicated.;
Never let a dark past cloud a bright future

“It is from numberless diverse acts of courage and belief that human history is shaped. Each time a man stands up for an ideal, or acts to improve the lot of others, or strikes out against injustice, he sends forth a tiny ripple of hope.” Robert Francis Kennedy




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users