Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What is this virus?


  • This topic is locked This topic is locked
10 replies to this topic

#1 lildrgn

lildrgn

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 26 March 2010 - 02:24 PM

Usually when I have an issue, Bleeping Computer has something about it posted and I solve my problem. This time, I can't find anything about my issue so here's my post.

I get this pop up a few times a day:

Posted Image

I simply close the tab and reopen it and it seems to work fine. I've run SAS, MBAM (in safe mode [though it won't let me update or open the website; whether it's related to the screengrab is unknown to me]), Yahoo Anti-Spy, Avast, and everything seems to be "cleaned".

Other things I've noticed are some Google redirects, some pop-unders of Firefox opening to websites, some random websites not working (for example: www.elfyphotography.com) and displaying "google-analytics.com" in the status bar.

Is it all related to the malwarebytes.org blocker? Someone help please! :thumbsup:

Edit to add: running Windows XP SP2, Firefox 3.5.8.

Edited by lildrgn, 26 March 2010 - 02:28 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 67,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:21 PM

Posted 26 March 2010 - 02:55 PM

Hello,looks like a new rogue.
Press CTRL+ALT+DELETE to open the Windows Task Manager. Click on the "Processes" tab, search for Online Protection Tool, then right-click it and select "End Process" key.


Run RKill....

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
You will need to run the application again if rebooting the computer occurs along the way as the malware programs will start again.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Edited by boopme, 26 March 2010 - 02:56 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 lildrgn

lildrgn
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 26 March 2010 - 03:12 PM

I ran Rkill and it killed 3 processes. I ran MBAM in normal mode and it would not allow me to update, giving me the following error instead:

An error occurred. Please report the following error code to the Malwarebytes' Anti-Malware support team. Error code: 732 (12007, 0)


I am also unable to access www.malwarebytes.org via Firefox, IE or Chrome.

Here's the scan log:

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3/26/2010 12:57:37 PM
mbam-log-2010-03-26 (12-57-37).txt

Scan type: Quick Scan
Objects scanned: 131338
Time elapsed: 11 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 67,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:21 PM

Posted 26 March 2010 - 03:22 PM

Ok some reason the version and database isn't showing in the log.

You also may need to rename the mbam.exe file to say zztoy before saving it

If you cannot use the Internet,you will need access to another computer that has a connection.
From there save mbam-setup.exe to a flash,usb,jump drive or CD. Now transfer it to the infected machine, then install and run the program.
If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive.
***
Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.


Note: Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating through the program's interface or have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, is to do the following: Install MBAM on a clean computer, launch the program and update through MBAM's interface. Copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware[/color]

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 lildrgn

lildrgn
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 26 March 2010 - 03:48 PM

MBAM version 1.44
Database date 1/7/2010
Database version: 3510
Fingerprints loaded: 174959

I thought I might be able to d/l the latest defs from a laptop that I haven't used in months. I turned it on, installed MBAM off my USB stick (version 1.32 which allowed me to choose from different mirrors), but I'm getting the same issue on that computer with the same "alert"!

Also, since I cannot access www.malwarebytes.org from any of my 3 computers, is there somewhere else I can d/l mbam-rules.exe?

Edit to add: found mbam-rules.exe "out there" and installed. Now MBAM won't start at all, instead giving me error code 730 (0,0).

Edited by lildrgn, 26 March 2010 - 04:00 PM.


#6 kajaco2

kajaco2

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 26 March 2010 - 11:16 PM

Thank you so much! I've worked for several hours to fix this problem and this is the ONLY set of directions that was successful!

I do have one question: when I ran RKill, it terminated Chrome browser and GoogleCrashHandler (the latter is running again after rebooting). Is it ok to use Chrome again?

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 67,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:21 PM

Posted 27 March 2010 - 07:57 PM

@ lildrgn your USB drive is ibfected and infecting everything it touches. Run this then try again top get MBAM.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.



@ kajaco2
You shoul d be fine.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 lildrgn

lildrgn
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 27 March 2010 - 11:19 PM

Hi boopme. I ran that on the drive and it said "Done" or something like that. Rebooted computer and installed MBAM from the USB drive. It is version 1.32. When starting, it gave a message about not being able to connect to the internet. After hitting OK, I tried to update and it had a drop down menu of site choices. One was Malwarebytes.org (which I tried, but couldn't access) and the other was Securitywonks.net (which worked and downloaded).

After restarting the program, MBAM was updated to 1.36. I have not run that as I think the current version is 1.44.

Since last night, I have done the following:

1. Ran my 1.44 version of MBAM in regular and safe mode. No infections found in either mode.
2. Ran SAS in regular mode. No infections found.
3. Ran Spybot S&D in regular mode. No infections found.
4. Ran Avast free scan in regular mode. No infections found.

I have also tried various cleaners, including:

1. Yahoo Anti-Spy.
2. Dr. Web Cureit.
3. Spyware Doctor.

All came up with nothing.

The pop up isn't too annoying; a simple refresh of the screen makes it go away. The fact that it's blocking websites I need to get to in order to repair it (malwarebytes.org, etc) is annoying.

What next? TIA!

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 67,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:21 PM

Posted 27 March 2010 - 11:27 PM

Hi, I feel you are most likely almost clean. There must be one entry leftand we can find it with an DDS log.
So please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic from step 9.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 lildrgn

lildrgn
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 28 March 2010 - 04:46 PM

On it. Look for my new topic shortly.

Edit: and here it is: link

Edited by lildrgn, 28 March 2010 - 04:55 PM.


#11 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 35,803 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:21 PM

Posted 28 March 2010 - 05:49 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/305550/malware-issue-windows-internet-security-popup/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users