Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some kind of virus...


  • Please log in to reply
14 replies to this topic

#1 peel

peel

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 23 August 2010 - 12:43 AM

When I search things on google and I click the link, it takes me to a completely different site. Even if the link on google is to a reputable site like wikipedia or youtube or something, it will take me to random sites like once it took me to like a lawyer site sign up, another time it took me to adultfriendfinder.com after I clicked a wikipedia link. I think its some ad program or virus. This only happens on my Firefox browser

Edited by Blade Zephon, 23 August 2010 - 02:44 AM.
Moved from Win7 to AII. ~BZ


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:52 PM

Posted 23 August 2010 - 11:58 AM

Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!
Be sure to print out and follow all instructions for performing a scan or refer to these instructions with screenshots.
  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop. Vista/Windows 7 users refer to these instructions.
  • If you don't have an extracting program, you can download TDSSKiller.exe and use that instead.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

-- For any files detected as 'Suspicious', get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 peel

peel
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 23 August 2010 - 06:56 PM

HKLM\SYSTEM\ControlSet001\services\rqproo - will be deleted after reboot
HKLM\SYSTEM\ControlSet002\services\rqproo - will be deleted after reboot
C:\Windows\system32\drivers\rqproo.sys - will be deleted after reboot


Not sure if this is a virus or just a normal thing on my computer. Im scared deleting it may damage computer?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:52 PM

Posted 23 August 2010 - 09:18 PM

I asked you to scan with TDSS Rootkit Removing Tool. Did you do that?

I don't know what program you ran that is showing those entries.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 peel

peel
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 23 August 2010 - 11:19 PM

YES. That was TDSSKiller.exe
That was the only thing that showed up so I selected Delete. Then I rebooted and now my brand new laptop shows a black screen when I log in and my first day of college starts in a couple days. Help!

#6 peel

peel
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 23 August 2010 - 11:29 PM

Was it deleting this that caused this problem? I also used Dr Web's Cure It complete scan also and I left it alone and it was like half way done the check the last time I checked and then when I came back it had restarted the computer and then I got this problem so I assumed it probably finished the scan , fixed the detected items and restarted.

Update: I fixed it with a System Restore. But I was wondering if you know whether it was removing that thing 'rqproo' or something else? And whats the difference between deleting it and curing it? (As there was no Cure option)

Edited by peel, 24 August 2010 - 12:29 AM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:52 PM

Posted 24 August 2010 - 10:04 AM

I was going to advise you to try System Restore but you figured that out on your own. I have never encountered a situation where a machine would not reboot after using TDSSKiller but its possible. The more like cause I would suspect was some removed by Dr.Web CureIt which performs a much more extensive scan of your system. That's why it's always safer to cure or quarantine items rather than automatic delete them. If something goes awry, you can restore the file from quarantine.


Try doing an online scan to see if it finds anything else (i.e. remanants) that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
This scan requires Internet Explorer to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 peel

peel
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 24 August 2010 - 04:27 PM

Heres the log for ESET

C:\TDSSKiller_Quarantine\23.08.2010_19.53.34\susp0000\svc0000\tsk0000.dta a variant of Win32/Bubnix.AZ trojan cleaned by deleting - quarantined
C:\Users\Will\AppData\Local\Windows Server\hlp.dat Win32/Bamital.DT trojan cleaned by deleting - quarantined
C:\Windows\System32\hlp.dat Win32/Bamital.DT trojan cleaned by deleting (after the next restart) - quarantined


Also before this, I tried scanning with Cure it! again since the Restore put me before it. It got like 40% then found something, asked me if I wanted to move it, I said Yes to All, then I got a Blue Screen saying something caused Windows to not function correctly and my comp restarted. I was wondering if I should still try it and select a different option this time or just stop using Cure it!

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:52 PM

Posted 24 August 2010 - 06:19 PM

The speed and ability to complete an anti-virus or anti-malware scan depends on a variety of factors.
  • The program itself and how its scanning engine is designed to scan: using a signature database vs heuristic scanning or a combination of both.
  • Options to scan for spyware, adware, riskware and potentially unwanted programs (PUPS).
  • Options to scan memory, boot sectors, registry and alternate data streams (ADS).
  • Type of scan performed: Deep, Quick or Custom scanning.
  • What action has to be performed when malware is detected.
  • A computer's hard drive size.
  • Disk used capacity (number of files to include temporary files) that have to be scanned.
  • Types of files (.exe, .dll, .sys, .cab, archived, compressed, packed, email, etc) that are scanned.
  • Whether external drives are included in the scan.
  • Competition for and utilization of system resources by the scanner.
  • Other running processes and programs in the background.
  • Interference from malware.
  • Interference from the user.
-- Using two security scanning engines at the same time can cause each to interfere with the other, cause systems hangs, false detections, unreliable results and other unpredictable behavior.

Note: It is not unusual for an anti-virus or anti-malware scanner to be suspicious of some compressed, archived, .cab and packed files because they have difficulty reading what is inside them. These kind of files often trigger alerts by security software using heuristic detection because they are resistant to scanning (difficult to read). This resistance may also result in some scanners to stall (hang) on these particular types of files or just ignore (skip) them. Certain files in the System Volume Information Folder like the Tracking.log (created by the Distributed Link Tracking Service to store maintenance information) have also been reported as a source causing some scanners to hang.

Since you are having issues with Dr.Web I suggest you skip it and do this instead.

Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.Download Link 1
Download Link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Edited by quietman7, 24 August 2010 - 06:20 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 peel

peel
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 24 August 2010 - 08:02 PM

Oh, that may be a problem. I scanned with Malwarebytes, SAS, and Spybot all at the same time.. Like the day before this all happened. Also, I just scanned with ESET restarted and got a blue screen from a Windows error. Im not sure if this was ESET or something else. My computer's performance is very strange sometimes now on Firefox.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:52 PM

Posted 24 August 2010 - 08:13 PM

Did the BSOD provide a Stop Error Messages or identify a driver (.sys file) as shown in this example?

Crashes (BSOD), unexpected shutdowns, sudden freezing, random restarting, and booting problems could be symptomatic of a variety of things to include hardware/software issues, overheating caused by a failed processor fan, bad memory (RAM), failing or underpowered power supply, CPU overheating, motherboard, video card, faulty or unsigned device drivers, CMOS battery going bad, BIOS and firmware problems, dirty hardware components, programs hanging or unresponsive in the background, and sometimes malware. Even legitimate programs like CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) can trigger crashes, various stop error messages and system hangs so you may or may not be dealing with multiple issues. If the computer is overheating, it usually begins to shutdown/restart on a more regular basis. Troubleshooting for these kinds of issues can be arduous and time consuming. There are no shortcuts.

When Windows detects a problem from which it cannot recover, it displays Stop Error Messages which contain specific information that can help diagnose and resolve the problem detected by the Windows kernel. An error message can be related to a broad number of problems such as driver conflicts, hardware issues, read/write errors, and software malfunctions and malware. In Windows XP, the default setting is for the computer to reboot automatically when a fatal error or crash occurs. You may not see the error code because the computer reboots too fast.

An easier alternative is to turn off the automatic reboot feature so you can actually see the error code/STOP Message when it happens - this is also known as the Blue Screen Of Death (BSOD). To change the recovery settings and Disable the Automatic Restart on System Failure in Windows XP, go to Start > Run and type: sysdm.cpl
Click Ok to open System Properties.

Alternatively you can just press WINKEY + Pause/Break keys to bring up System Properties.
  • Go to the Advanced tab and under "Startup and Recovery", click on the "Settings" button and go to "System failure".
  • Make sure "Write an event to the system log" is checked and that "Automatically restart" is unchecked.
  • Click "OK" and reboot manually for the changes to take effect.
This can also be done in the Windows Advanced Options Menu as shown here by pressing the F8 key repeatedly like you would do for entering safe mode.

-- Vista users can refer to these instructions: How To Disable the Automatic Restart on System Failure in Windows Vista.
-- Windows 7 users can refer to these instructions: How To Disable the Automatic Restart on System Failure in Windows 7.

Doing this won't cure your problem but instead of crashing and restarting you will get a blue diagnostic screen with an error code and other information to include file(s) that may be involved which will allow you to better trace your problem. Write down the full error code and the names of any files/drivers listed, then provide that information in your next reply so we can assist you with investigating the cause. Without that specific information, we would only be guessing rather than troubleshooting.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 peel

peel
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 24 August 2010 - 08:59 PM

So after I do this I would have to wait for this to happen again if it were to happen again?

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:52 PM

Posted 25 August 2010 - 07:34 AM

As I said, without having information you're only guess, not troubleshooting so you may have to wait.

You may be able to find the error by looking in the Event Log. If you don't know how to do that, please refer to:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 peel

peel
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 25 August 2010 - 06:15 PM

Ok I just got Kaspersky AV 2010 so Im gonna scan with that hopefully thatll clear things up. I havent gotten a BSOD since

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:52 PM

Posted 25 August 2010 - 07:47 PM

That's good to hear.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users