Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware on browser


  • Please log in to reply
5 replies to this topic

#1 Densuo

Densuo

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 09 April 2010 - 12:26 PM

Good afternoon,

A few days ago I got hit with Total PC Defender 2010 I believe I removed it, It was almost too easy to be honest, all Malwarebytes found was a rootkit, which Avast saw and quarantined. then, while the scan was going I found a Total PC Defender 2010 folder in the Program files, I manually deleted that.

I was still paranoid, went into safe mode, and scanned again. Nothing.

Thinking everything is fine, I continued normal usage but when I go to some sites I notice that now when I click on a link to something, like Youtube, or Google or when I go to gamefaqs.com another tab opens up for some random stuff, like buying necklaces, and what not with the top of the window saying just a moment, loading etc, more often then not Avast steps in and I abort the connection.

I went through some searching in my iPhone to look up info about this, read up on info concerning extensions (deleted that folder from firefox) and to check the Add remove Programs section of windows, nothing there.

The issue still persists.

I currently have: Avast and Malwarebytes Anti-Malware, free versions (considering purchashing full version) as well as Spybot S&D, I have already downloaded Combofix (renamed it to combo-fix as I saw on a different thread) This process may take some time as I work the night shift. but I'll start combo-fix now to post a log if need be.


EDIT:: I'm not sure if this is also part of the problem, but it's also caused my PC to just totally shut down, I'd then have to wait some time before trying to turn it on again. (Though I think it's a possible tell that the processor fan is about to bite it) granted both times it shut down, it happened when I ran a Malwarebytes scan, and an avast scan in normal mode

Edited by Budapest, 09 April 2010 - 05:06 PM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~BP


BC AdBot (Login to Remove)

 


#2 Densuo

Densuo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 10 April 2010 - 12:46 PM

I noticed my thread got moved. I ran combo fix but looks like I got ahead of myself. As it's on a new area I notice I should put info concerning the computer

it uses windows xp service pack 3
I tried to uninstall combofix using the run command but it didn't do anything but run it like I would if I double clicked it. So now I have two logs of it.

I think I'll refrain from getting ahead of myself and wait for instruction. I'm posting this via my iPhone to prevent myself from doing anything else without instruction.

Edit: ran a boot scan with Avast. Deleted some infected music files (irrelevant) and a adware item in a restore point.

I have not used the Internet on the computer while waiting for a response. But when using it in normal mode and having two windows open today I got an error stating that Generic Win32 service has encountered a problem and needs to close. The result afterwards is the computer becoming unusable as it just hangs forcing me to turn it off.

Edited by Densuo, 11 April 2010 - 03:09 AM.


#3 Densuo

Densuo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 12 April 2010 - 09:38 AM

still haven't heard from you guys. I know for sure I'm infected by this unsolicited redirect thing now.

ran spybot search and destroy in safe mode. It deleted a Trojan, 2 registry things (an antivirus overide an firewall overide) and cookies.

rebooted in normal mode. First thing I noticed was that my windows firewall was down. Fixed that via control panel

Updated spybot search and destroy then ran it. Nothing found. While waiting for it to finish generic win32 proccess failed again making computer hang. Safe mode scan found nothing

I wanted to post this via the computer but when I opened firefox and went here everything seemed ok. Went to gamefaqs on another tab. Browser hangs for a second then new tab opens with something. I try to close it. The window minimizes with a notice popup (the ones that ask if you are sure you want to close the browser) that has an obvious typo saying "Sure to leave?" if you press x another one appears asking again. I closed it via task manager it doesn't allow me to restore the window.

This was what prompted me to run spybot again before win32 service failed. This is what it shows in the error message when you click on details for it:

Error signature
szAppName: svchost.exe szAppVer: 5.1.2600.5512

szModName: Flash10d.ocx szModVer: 10.0.42.34 offset: 000e6f80

Error report contents

C:DOCUMENTS~1\HP_ADM~1\LOCALS~1\Temp\WER26a7.dir00\svchost.exe.mdmp

C:DOCUMENTS~1\HP_ADM~1\LOCALS~1\Temp\WER26a7.dir00\appcompat.txt

Edited by Densuo, 12 April 2010 - 09:42 AM.


#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:08 AM

Posted 15 April 2010 - 10:34 PM

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Make sure the Sections option is checked (in the right hand panel). Leave all other options unchecked!
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 Densuo

Densuo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 16 April 2010 - 12:02 PM

Succesfully downloaded GMER through main mirror.

Followed instructions and Ran GMER in Normal mode. Hung when trying to save the GMER.log had to forcefully turn comp off.

Rebooted in Safe Mode. I noticed both times that the quick scan read something different then main scan so posting both just in case

when I copied Quick scan results GMER froze, closed it then ran it again. normal scan completed, copied info and saved log with no issue.

when I tried to click start to shut down it did not respond forcing me to turn it off again.

Questions:

1) My comp has a D drive, which is the recovery console, that shouldnt be an issue right?
2) I have 2 external drives. but I havent used them since time of infection. there's some sality 32 viruses on some exes in one of them, I'm sure those are unrepairable, but is deleting them safe to do after all this is over?

Anyway. Thanks for helping me with this. Here are the quick and normal scans for GMER.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-16 12:40:44
Windows 5.1.2600 Service Pack 3
Running: g7dldne3.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kwwyypod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86FE5AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-16 12:45:53
Windows 5.1.2600 Service Pack 3
Running: g7dldne3.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kwwyypod.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\ohci1394.sys entry point in ".rsrc" section [0xF78CF114]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[604] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A1000A
.text C:\WINDOWS\system32\svchost.exe[604] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A2000A
.text C:\WINDOWS\system32\svchost.exe[604] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0073000C
.text C:\WINDOWS\Explorer.EXE[896] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BE000A
.text C:\WINDOWS\Explorer.EXE[896] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C8000A
.text C:\WINDOWS\Explorer.EXE[896] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BD000C

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\ohci1394.sys suspicious modification

---- EOF - GMER 1.0.15 ----


EDIT: a yellow shield icon popped up when I booted to normal mode to post this. It looked like a legit windows update. But I did NOT install it when I shut the computer down to not change system state unless you say so. I feel it's legit since when I picked shutdown the icon was there and I clicked the mini link saying to shutdown without installing.

Edited by Densuo, 16 April 2010 - 12:07 PM.


#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:08 AM

Posted 16 April 2010 - 03:29 PM

Your log shows evidence of a nasty rootkit infection. Follow the instructions given here starting at step 7:

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users