Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

os-guard2010.microsoft.com


  • This topic is locked This topic is locked
2 replies to this topic

#1 Drask

Drask

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 27 December 2009 - 04:58 PM

I am using Microsoft Windows XP Home Edition Version 2002 Service Pack 3. Every time I open Internet Explorer, I get redirected to hxxp://os-guard2010.microsoft.com/block.php?r=59.6 which says "Internet Explorer Warning - visiting this web site may harm your computer!" and contains a link titled "Purchase for secure Internet surfing (recommended)" which redirects me to "http://os-guard2010.com/purchase?r=59.6".

I've always had pretty good luck dealing with viruses and malware in the past, but this one has me stumped.

When I first discovered the problem, I booted into Ubuntu, restored the backup registry from %SystemRoot%\Repair to %SystemRoot%\System32\Config, booted back into windows and updated and ran Malwarebytes' Anti-Malware. That program found the following files and removed them. I have no idea if any of these are related to the problem I'm having:

C:\Documents and Settings\Owner\Local Settings\Application Data\bpbual\xaxnsysguard.exe (Trojan.FakeAlert)
C:\Documents and Settings\Owner\Local Settings\Temp\pdfupd.exe (Spyware.Passwords)
C:\Documents and Settings\Owner\Temporary Internet Files\Content.IE5\HX0WG0VT\ms307[1].exe (Spyware.Passwords)
C:\Documents and Settings\Owner\Temporary Internet Files\Content.IE5\SI5JUOQ6\setup[1].exe (Adware.Seekmo)
C:\Documents and Settings\Owner\Local Settings\Temp\zodin_1248441434.exe (Worm.KoobFace)

C:\WINDOWS\010112010146118114.dat (Worm.KoobFace)
C:\WINDOWS\0101120101464849.dat (Worm.KoobFace)
C:\WINDOWS\0101120101464853.dat (Worm.KoobFace)
C:\WINDOWS\0101120101465749.dat (Worm.KoobFace)
C:\WINDOWS\jmmark2.dat (Worm.KoobFace)
C:\WINDOWS\prxid93ps.dat (Malware.Trace)
C:\WINDOWS\th823567.dat (Worm.KoobFace)

Internet Explorer did not have the behavior when I started it with the registry from the "repair" directory.

Then I restored the current registry and ran Malwarebytes' Anti-Malware again and this time it found and removed the following registry keys:

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{343ce214-9998-4b21-a151-ffe970167297} (Rogue.Installer)
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysfbtray (Worm.KoobFace)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juirdnmm (Trojan.FakeAlert.N)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juirdnmm (Trojan.FakeAlert.N)

After removing these files and registry keys, the computer continues to display the os-guard2010.microsoft.com page rather than my homepage although Malwarebytes, Superantispyware, Spybot search and destroy and the free version of AVG Antivirus report no problems on the computer. I have also spent hours searching forums related to this which list the following executables and registry keys related to the infection:

%ProgramFiles%\Antivirus System PRO\Antivirussystempro.exe
%ProgramFiles%\Antivirus System PRO\uninstall.exe
%SystemRoot%\sysguard.exe
%SystemRoot%\system32\iehelper.dll
%ProgramFiles%\Antivirus System PRO\conf.cfg
%ProgramFiles%\Antivirus System PRO\mbase.vdb
%ProgramFiles%\Antivirus System PRO\quarantine.vdb
%ProgramFiles%\Antivirus System PRO\queue.vdb

HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus System PRO
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antivirus System PRO
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run €š€œAntivirus System PRO€š
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad €š€œieModule€š
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run €š€œsystem tool€š
HKEY_CLASSES_ROOT\CLSID\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}

but none of these files or registry entries exist on my computer. I have also booted my computer into Ubuntu and used that to examine the hard drive and can't find any of these files.

The issue does not affect Firefox. After opening Internet Explorer, I can browse normally as long as I don't attempt to go to my home page. When I do try to go to my home page, the browser goes into "offline mode" and the os-guard2010 page comes up again. So this thing is linked to the home page URL somehow. If I change my homepage url (by, say, adding "?" to the end of it) it comes up successfully, but if I browse to the old url through a link or something, the os-guard2010.microsoft.com page jumps in front of it again.

I have checked my Internet Explorer add-ons and nothing looks suspicious to me. The computer does not exhibit the behavior when running in "Safe mode with networking".

The url os-guard2010.microsoft.com does not appear to be a valid url even within my own system. When I try to ping it I get the message "Ping request could not find host os-guard2010.microsoft.com. Please check the name and try again." I cannot browse to the "http://os-guard2010.microsoft.com/block.php?r=59.6" address using Firefox. There is no entry for "os-guard.microsoft.com" in my HOSTS file. The browser always switches to offline mode before bringing up the page and the page comes up even if the computer is not connected to the internet, so it appears to be coming from within my computer.

On advice from another page I tried typing "netsh winsock reset" onto the command line and restarting the computer, but that had no effect either.

I assume the "block.php" part is just a joke on the part of the writer (it seems unlikely that Microsoft would use PHP to write anything) rather than indicating that there is actually a PHP service running on my machine somewhere.

So far this does not appear to be downloading infections into my computer and the computer appears to be running normally, so I may have killed the main infection, but I want my homepage back and all vestiges of this thing gone.

Attached is my HijackThis log.

Thanks for any help!

Attached Files


Edited by Drask, 27 December 2009 - 10:47 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:49 AM

Posted 28 December 2009 - 07:31 AM

Hi,

Start HijackThis, click Scan and check the following entry in it:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

Then click the Fix checked button below.

Then, In Internet Explorer: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings".
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

Once you've done this, make sure your browser isn't in offline mode anymore, so then update malwarebytes (because I'm sure it was outdated since your proxysettings were modified by malware, so it blocks updates).
  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • Once the updates are downloaded, perform a quick scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:49 AM

Posted 22 January 2010 - 08:34 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users