Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Post Removal Problem


  • Please log in to reply
9 replies to this topic

#1 Norm@Home

Norm@Home

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 21 December 2009 - 07:20 PM

I've got a problem with a friends computer. His computer was infected with the "MyWaySearch" and some version of the phony anti-virus program that's been going around the last year or so.

I managed to remove the problems and the system scans clean with the latest ComboFix, NOD32 V4 anti-virus, Spybot Search & Destroy and HiJackThis! and by all accounts there should be no problem. But the symptom is that first IE7 constantly reports "This page cannot be displayed" and multiple retries usually bring the page in question up. Second, in FireFox 5.5.6 lets say that I Google on something say "ComboFix" and click on the link "Guide and tutorial on using combofix" which should bring me here but instead I get something like "Can't find the server at" and then various nonsense things like "sraewerhscrener.com", "wervnressechaer.com", varsrenreswecen.com". Different links in different searches all come up with something similar.

To try and resolve this I tried looking to see if the system had a bad proxy installed, but that doesn't seem to be the case. I tried repairing TCP/IP using WinSockFix and checking with LSPFix but neither seemed to repair or find a problem.

I'd be grateful for an idea about what the problem could be.

Thanks,

- Norm

BC AdBot (Login to Remove)

 


#2 MATTSPCHELP

MATTSPCHELP

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, United kingdom
  • Local time:06:31 AM

Posted 21 December 2009 - 08:03 PM

Hosts File ?
Microsoft Certified Desktop Support Technician

#3 Norm@Home

Norm@Home
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 21 December 2009 - 11:35 PM

Hosts File ?


I'll go over and check tomorrow but I thought that I had read that either NOD32 or SpyBot checks the hosts files for malicious entries?

Thanks,

- Norm

#4 Norm@Home

Norm@Home
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 27 December 2009 - 01:50 AM

As previously suggested, I checked the hosts file and it has the standard localhost entry plus the entries added by SpyBot Search & Destroy and nothing more.

HiJackThis! had reported "nvprovau.dll" as a possible problem and while this could potentially be a legit item (if you have the Novell ipx protocol installed) there was no corresponding item listed for it in the local area connection properties. So I removed it using LSPFix but still the same problem.

Another item, my friend and I both use Comcast as our isp's and despite the fact that we only live a mile apart I noticed that he was being assigned three different dns servers than what comcast's dhcp servers are giving me. I tried manually overriding that and made his match mine but still no good.

I tried getting the latest drivers for the Intel nic his computer uses and unistalled the nic driver and reinstalled using the latest available driver but still the same result.

IE 7 is set for automatic proxy detection and FireFox is set to no proxy.

Just to reiterate what the symptoms of this problem are, in IE 7 whenever you use a search engine such as Google or Bing to search for something and then click on one of the displayed links you get "this page cannot be displayed" and if you hit the refresh button once the page will come up.

On the other hand FireFox 3.5.6 is totally incapacitated, if you do a search using either Google or Bing you will get a results page no problem. However when you go to click on one of the result links you get "Server Not Found", "FireFox Can't find the server at" and then various nonsense things like "sraewerhscrener.com", "wervnressechaer.com", varsrenreswecen.com", "arcvserehnerwse.com". For example, if I search for "Window Blinds" and I get a page of search results and I pick a link and hover the mouse cursor over it I can see on the status bar that the link points to [http://www.xxxxx.com]but when I actually click on it the url that appears in the address bar is "http://arcvserehnerwse.com".

I honestly don't understand this, I've seen many cases where IE has been hosed by a virus but never where IE works and FireFox is unusable. Has anyone seen anything like this, any idea's on how to track down what is causing this?

Thanks,

- Norm

Edited by jgweed, 30 December 2009 - 09:38 AM.
remove live link.jgw


#5 Norm@Home

Norm@Home
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 30 December 2009 - 08:34 AM

I realize that it's the holidays and a lot of people are traveling and doing holiday things, but could someone please help me out here and give me a idea on how to further investigate this? My last post was three days ago and I've gotten no replies. If you need additional information, I'll be happy to provide it.

Thanks,

- Norm

#6 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:10:31 PM

Posted 02 January 2010 - 12:59 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Edited by Amazing Andrew, 02 January 2010 - 01:03 PM.


#7 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:03:31 PM

Posted 02 January 2010 - 01:25 PM

This looks a lot like the "newserversearch.com" malware.

Please download Kenco.exe and save it to your desktop.
  • Double-click on Kenco.exe to run it (if you get a security warning, click run).
  • You will see a black command window and shortly a logfile will be opened. Note - Kenco.log will be saved on your desktop.
  • In order to complete the cleaning process, Kenco.exe may need to reboot your computer.
Please copy/paste the contents of kenco.log in your next reply.

Do you still have the problem?
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#8 Norm@Home

Norm@Home
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 02 January 2010 - 03:00 PM

Hi Andrew,

Thank you very much for the quick reply. The following is the report you requested from RootRepeal:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2010/01/02 14:44
Program Version:		Version 1.3.5.0
Windows Version:		Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9F40000	Size: 98304	File Visible: No	Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B62000	Size: 8192	File Visible: No	Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA920A000	Size: 49152	File Visible: No	Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\administrator\local settings\application data\mozilla\firefox\profiles\kj0c0gsx.default\cache\_cache_001_
Status: Size mismatch (API: 657880, Raw: 656892)

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\kj0c0gsx.default\Cache\328C99C6d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\kj0c0gsx.default\Cache\76CCBC25d01
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 019	Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x85ed18a0

#: 122	Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x85ed0cb0

#: 128	Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x85ed10d0

#: 253	Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x85ed16d0

#: 254	Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x85ed14f0

#: 257	Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x85ed0ee0

#: 258	Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x85ed1310

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x863dcda8]
Process: System	Address: 0x85ecf930	Size: 1000

==EOF==

- Norm

#9 Norm@Home

Norm@Home
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 02 January 2010 - 03:22 PM

Ok, downloaded and ran that, here are the results:

Kenco by jpshortstuff (31.12.09.1)
Log created at 14:54 on 02/01/2010 (Administrator)

========== Task Unlocker ==========
C:\WINDOWS\Tasks\OVBO.job -> Unlocked!

========== KencoScan ==========
C:\WINDOWS\system32\diskpartc.dll -> Unlocked!
C:\WINDOWS\system32\diskpartc.dll -> Infected -> Deleted successfully!
C:\WINDOWS\Tasks\OVBO.job -> Deleted successfully!

========== C:\WINDOWS\Tasks ==========
AppleSoftwareUpdate.job -> [03:23 28/10/2009] 284 bytes

-=E.O.F=-

As far as I can tell from a brief test, the problem does in fact appear to be fixed.

Thanks,

- Norm

#10 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:03:31 PM

Posted 06 January 2010 - 01:09 AM

the problem does in fact appear to be fixed.

No worries. Too easy!

If you have any further issues, please let us know.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users