Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirecting/pop ups/have cleaned comp but still infected


  • This topic is locked This topic is locked
16 replies to this topic

#1 udwm995

udwm995

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:Perth, Australia
  • Local time:03:30 AM

Posted 29 March 2010 - 05:05 AM

Hey

ive had a problem fixed in these forums before so i trust someone will be able to help me this time>

To cut it short, my computers updated and appears to be clean and running for the most part absolutely fine. that is until i go online. my search results in google are sometimes redirected, they only work if i close then reclick on the link several times. also im getting a fake microsoft warning about the online proteftion tool, which ive read literally hundreds of similiar stories about. Ive followd many instructions ive ran different avs which have turned up nothing, ive startd in safe mode and ran malwarebytes which has found 2 infections. some trojan crap. ive removed these, rebooted and everything appears to be fine again. then about 2hours later guess what pops up? the same fake microsoft warning...

ive read about 20 different answers aboput similiar problems and have literally tried all the suggestions i can find to no avail. Many ppl also inform me i should just format and reinstall everything from scratch as a surfire way to clean everything but as many will be aware, for a person with only general knowledge of computers this can be a real pain in the ass.

im writing this in the hope that someone that actually knows what ther talkin about can help me. if not, ill format and start from scratch but id really like to exhaust all possibilities b4 anything extreme.

PLEASE HELP im going MAD!!!

BC AdBot (Login to Remove)

 


#2 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:03:30 PM

Posted 29 March 2010 - 09:34 AM

Could you please post the results from your Malwarebytes scan so we may have somewhere to start and help point us in a direction.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#3 udwm995

udwm995
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:Perth, Australia
  • Local time:03:30 AM

Posted 29 March 2010 - 11:32 PM

Thanx for taking the time to look at my post. Here is the log it hasnt shown nething but then thats to be expected however i think ive found the potential problem.
in my startup programs ive found "toy5knq8oc". its in a temp folder and it leads to "Erh.exe"
from what ive read, it is a trojan however i cant find a way to fix it. the only solution i can find is to install and update malware bytes then scan and remove, but thats nots working. its like this thing knows im going to delete it and is hiding from me haha. id like to meet a person who makes these bleep viruses and slap them in the face.

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 6.0.6000
Internet Explorer 7.0.6000.16982

30/03/2010 12:19:20 PM
mbam-log-2010-03-30 (12-19-20).txt

Scan type: Quick Scan
Objects scanned: 93172
Time elapsed: 6 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:03:30 PM

Posted 30 March 2010 - 07:32 AM

When you try updating Malwarebytes, does it give you any messages?

Can you access the internet without problems on your computer?

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#5 udwm995

udwm995
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:Perth, Australia
  • Local time:03:30 AM

Posted 31 March 2010 - 04:35 AM

Yes. an error comes up when trying to update malwarebytes (but not when updating my antivirus)

an error occured pls report to the malware bytes team ect...
error code: 732 (12007, 0)

And yes, i can use the internet fine. i can still browse everything fine, i just get the fake microsoft popup randomly and more often than not, whatever i click on is redirected to advertising or porn which i straight away close, then reclick the link and it works (sometimes i must reclick on it several times). windows update wont work or wont install updates( perhaps unrelated?) and yeah just general sluggishness of my system.

#6 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:03:30 PM

Posted 31 March 2010 - 07:17 AM

Ok. We're gonna look at a few things.

Error Code: 732

This error is referring to Malwarebytes not being able to access the internet. There is a possibility that Malwarebytes sees Internet Explorer as being set to "work offline". We need to change this. We also need to check your proxy settings.

First, Open Internet Explorer ( even if it won't connect to the internet ). In IE7 or IE8, you should see "Tools" in the upper right hand corner.

Click on Tools and look for "Work Offline". It should look like this:

Posted Image

If you have a blue check mark next to "Work Offline", please click on "Work Offline" until it resembles the picture.

Check your Proxy settings in Internet Explorer to make sure malware did not alter them. If so, that can affect your ability to browse or download tools required for disinfection:

* Open Internet Explorer > click Tools > Internet Options > Connections tab.
* Click the LAN Settings... button and uncheck Use a proxy server for your LAN
or change the settings to the proxy you normally use if you previously reconfigured it.
* Remove any unknown addresses from the Address box. 80 is the default Port so it does not have to be changed.
* Click Ok and then click Ok again.
* Close Internet Explorer and restart the computer.
* An example of how to do this with screenshots can be found in steps 3-7 under the section Automated Removal Instructions... in this guide..

Check your Proxy settings in Firefox to make sure malware did not alter them:

* Open Firefox, click Tools > Options > Advanced and click the Network Tab.
* Under the Connection section click on the Settings... button.
* Under Configure Proxies to Access the Internet, check No proxy. This is the default option if you don't use a proxy.
* Click Ok and then click OK again.
* Close Firefox and restart the computer.

For other browsers, please refer to How to configure browser proxy settings.

Once you have checked these things, please try to update Malwarebytes and if successful, please run and post the log.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#7 udwm995

udwm995
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:Perth, Australia
  • Local time:03:30 AM

Posted 31 March 2010 - 08:12 AM

All right i've followed those instructions and everything appears as it should so i've restarted my computer, ran malwarebytes, tried to update, but instantly the same error comes up??

also this may be nothing, but im not entirely computer literate so i thort i should mention....
for some site the little phishing filter on the status bar does its thing, but on some sites it randomly has a red cross through it and says (when cursor is held over it) phishing filter cant check this site because microsoft online service is temporarily unavailable.

i thort i should mention that in relation to whether or not malware has changed any settings because it seemed to me quite strange. i assumed if everything was working ok there should be no reason for it to randomly appear on, then off.

#8 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:03:30 PM

Posted 31 March 2010 - 08:58 AM

I'd like you to uninstall and reinstall Malwarebytes.

Use mbam-clean.exe to remove all portions of Malwarebytes

Reboot your computer and then reinstall Malwarebytes.

Once reinstalled, please run a scan and post your log.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#9 udwm995

udwm995
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:Perth, Australia
  • Local time:03:30 AM

Posted 31 March 2010 - 10:02 AM

I clicked on the link you provided but it wouldnt work. it was redirected to an error page. i reclicked it and no luck. so i tried to access it from the actual malwarbytes site, but i cant get into that either. it redirects every time.

however i still uninstalled it normally through programs and features in control panel and rebooted. should i reinstall it again and scan now or do i have to use the mbam-clean tool you aked me to?

#10 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:03:30 PM

Posted 31 March 2010 - 10:31 AM

If you have access to another "non-infected" computer and a thumb drive, you can copy the mbam-clean.exe utility from that computer along with the updated Malwarebytes and the Rules to your infected computer.

mbam-clean.exe

Malwarebytes

mbam-rules

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#11 udwm995

udwm995
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:Perth, Australia
  • Local time:03:30 AM

Posted 31 March 2010 - 10:58 AM

unfortunately i dont have acces to another computer at the moment and probably wont do for another couple of weeks, hence the reason im desperate to try and fix this one. sry to sound ungrateful but can you recommend anything else that may help?

#12 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:03:30 PM

Posted 31 March 2010 - 12:02 PM

Ok. Let's reinstall Malwarebytes from what you already have and run the update. Let's see if you can get to the update after reinstallation.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#13 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:03:30 PM

Posted 31 March 2010 - 02:14 PM

Please download GMER from one of the following locations and save it to your desktop:

* Main Mirror
This version will download a randomly named file (Recommended)
* Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

* Disconnect from the Internet and close all running programs.
* Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
* Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
* Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
Posted Image

* GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
* If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
* Now click the Scan button. If you see a rootkit warning window, click OK.
* When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
* Click the Copy button and paste the results into your next reply.
* Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

Edited by techextreme, 31 March 2010 - 02:35 PM.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#14 udwm995

udwm995
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:Perth, Australia
  • Local time:03:30 AM

Posted 01 April 2010 - 01:39 AM

I reinstalled malwarebytes and tried to update but the same error occured again.

I followed the instructions and downloaded grem and saved it to desktop, disconnected from internet, disabled av, clicked on the file and it came up and did a short scan which found 4 things. i didnt get any rootkit warnings so i continued to click the scan button. it started scanning and came up with a huge list of stuff but then everything just froze up. so i rebooted and ran it again, the same thing happened, so i rebooted in safe mode, ran the scan but it only came up with a few things. here is the log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-01 14:17:08
Windows 6.0.6000
Running: l9r28u4b.exe; Driver: C:\Users\Me\AppData\Local\Temp\kxliqpob.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\Windows\system32\drivers\atapi.sys entry point in ".rsrc" section [0x807B4000]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 [807B099C] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-4 [807B099C] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort0 [807B099C] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [807B099C] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort2 [807B099C] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#15 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:03:30 PM

Posted 01 April 2010 - 07:40 AM

You have a rootkit which requires tools which are not permitted in this forum. So, at this point, I think this one is best left to the experts, so I'm going to refer you to the Virus, Trojan, Spyware, and Malware Removal Logs Forum.

Please read the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help in cleaning your computer. Once complete, post a link back to this forum so the HJT team knows what we have tried.

Please be patient as the HJT team is quite busy sometimes and it may take a day or even a few for someone to pickup your log but someone will get back to you.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users