Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Webhp hijack


  • Please log in to reply
14 replies to this topic

#1 miss.charli

miss.charli

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 01 September 2010 - 06:43 PM

Hi,
I have had my browser hijacked by the we bhp virus. I have downloaded Malaware Bytes as you have described, however whenI try to download GMER my computer crashes and comes up with the blue screen of death. I am running on Windows XP, using Sophos and Spybot s&d. Please help.
- Charli

Edited by Orange Blossom, 01 September 2010 - 07:42 PM.
Move to AII for initial assistance. ~ OB


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:26 PM

Posted 01 September 2010 - 08:08 PM

Hello, hold off on Gmer. Have you run MBAM> If so post the log .
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 miss.charli

miss.charli
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 01 September 2010 - 10:34 PM

This is the log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4511

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

31/08/2010 6:49:58 PM
mbam-log-2010-08-31 (18-49-58).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 215818
Time elapsed: 1 hour(s), 39 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Userinit.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rthdbpl (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Josh\Application Data\SystemProc (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D} (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content (Worm.Prolaco.M) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{1F09CAC8-995F-4679-B1ED-A4DC13C37390}\RP1052\A0087221.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\nslive.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul (Worm.Prolaco.M) -> Quarantined and deleted successfully.



Am in the middle of downloading the programs you specified. I will update once they are done.

Thanks

#4 miss.charli

miss.charli
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 02 September 2010 - 06:43 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/02/2010 at 09:00 PM

Application Version : 4.42.1000

Core Rules Database Version : 5444
Trace Rules Database Version: 3256

Scan type : Complete Scan
Total Scan Time : 06:41:26

Memory items scanned : 204
Memory threats detected : 0
Registry items scanned : 6466
Registry threats detected : 3
File items scanned : 88308
File threats detected : 53

System.BrokenFileAssociation
HKCR\.exe

Trojan.Homepage
HKU\S-1-5-21-343818398-1715567821-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7A932ED2-1737-4AB8-B84D-C71779958551}
HKCR\CLSID\{7A932ED2-1737-4AB8-B84D-C71779958551}

Adware.Tracking Cookie
2mdn.net [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
acvs.mediaonenetwork.net [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
adbrite.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
atdmt.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
bc.youporn.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
blogads.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
burstnet.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
c5.zedo.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
casalemedia.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
content3.pornkolt.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
core.insightexpressai.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
files.adbrite.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
free.sexparty.tv [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
i.adultswim.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
ia.media-imdb.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
indieclick.3janecdn.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
interclick.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
kinxxx.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
macromedia.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
media.foxsports.com.au [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
media.jambocast.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
media.scanscout.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
media.socialvibe.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
media.tattomedia.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
media01.kyte.tv [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
media1.break.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
mediaonenetwork.net [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
mediaplex.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
msnbcmedia.msn.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
porn.gonzo-movies.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
pornotube.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
revenue.net [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
rmd.atdmt.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
s0.2mdn.net [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
secure-us.imrworldwide.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
sex.magicmovies.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
spe.atdmt.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
static.youporn.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
track.webgains.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
tradedoubler.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
www.dump.porntele.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
www.freshteen.biz [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
www.kinxxx.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
www.maxporn.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
www.pornhub.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
www.pornotube.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
www.soundclick.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
www.ziporn.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
wwwstatic.megaporn.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
yieldmanager.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
yieldmanager.edgesuite.net [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
zedo.com [ C:\Documents and Settings\Josh\Application Data\Macromedia\Flash Player\#SharedObjects\UYLVJ6SG ]
banner2.casino.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\LPHSJW9D ]


Everything is looking good so far, no redirects yet. :thumbsup: However, the google toolbar still isn't coming up with suggestions, I'm not sure if that is related or not. I also use BlackBoard for uni, and still won't run, coming up with an error message. Once again not sure if that is related and have contacted the administrators of that site to try and fix that as well.
I really appreciate your help.

#5 miss.charli

miss.charli
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 02 September 2010 - 07:17 AM

Unfortunatley, my optimism has quickly faded. My system is still comprimised :flowers: I am still getting redirects, no longer to google.com/webhp but now to sites like ninenow and also this came up afte rI clicked on a link on google, then on exiting it, it started up a fake security scan:
http://i1190.photobucket.com/albums/z444/c...um/untitled.jpg

Please help. This is really doing my head in. :thumbsup:

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:26 PM

Posted 02 September 2010 - 09:17 AM

Hello, hang in there ... These are rogue antispyware attacks. WE will do this and maybe another scan or two and I think we can kick this.

We need to kill their start ups so....
Reboot into Safe Mode with Networking
How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next Open Superantisypware,selct update. When done scan(SAS):
Post new log.

Now Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 miss.charli

miss.charli
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 07 September 2010 - 07:14 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/07/2010 at 05:51 PM

Application Version : 4.42.1000

Core Rules Database Version : 5462
Trace Rules Database Version: 3274

Scan type : Complete Scan
Total Scan Time : 01:52:56

Memory items scanned : 252
Memory threats detected : 0
Registry items scanned : 6469
Registry threats detected : 0
File items scanned : 88488
File threats detected : 8

Adware.Tracking Cookie
C:\Documents and Settings\Josh\Cookies\josh@serving-sys[1].txt
C:\Documents and Settings\Josh\Cookies\josh@ads.monster[2].txt
C:\Documents and Settings\Josh\Cookies\josh@n-traffic[1].txt
C:\Documents and Settings\Josh\Cookies\josh@collective-media[2].txt
C:\Documents and Settings\Josh\Cookies\josh@imrworldwide[2].txt
C:\Documents and Settings\Josh\Cookies\josh@bs.serving-sys[1].txt
C:\Documents and Settings\Josh\Cookies\josh@revsci[1].txt
C:\Documents and Settings\Josh\Cookies\josh@advertise[1].txt



MBAM said there was nothing, but the problems are as bad as ever.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:26 PM

Posted 07 September 2010 - 02:23 PM

Hello, Please run an online scan.

ESET
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Eset Smart Installer icon on your desktop.
  • Check the "YES, I accept the Terms of Use"
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push "List of found threats"
  • Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the "<<Back" button.
  • Push Finish
In your next reply, please include the following:
  • Eset Scan Log


NOTE: In some instances if no malware is found there will be no log produced.


If it still exists we willl do a log deep scan...
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the anti-virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 miss.charli

miss.charli
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 08 September 2010 - 01:09 AM

some very odd things are happening.
I have tried to open up, as you suggessted, ESET and got up to the accept any security warnings from your browser, but then an error comes up saying that (paraphrasing) to display the webpage, all data will be resent so if you are making purchses this may make it purchase twice. SO i click retry, and a little box with a red x comes up in the corner, I left click on this and go to cached snapshot of this page, as it is the only thing that works and it asks me to install the program, I do this and then another error comes up saying "Can not get update. Is proxy configured?"

It won't go past this. What do I do?


Thanks again for all of your help :D

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:26 PM

Posted 08 September 2010 - 08:53 AM

Can you move to DrWeb?

Skip over ESET or
Try this--open control, internet options, connections tab, lan settings, uncheck the box next to "use proxy...."
Or your AV may be blocking it.

OR try this one and see
Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 miss.charli

miss.charli
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 21 October 2010 - 01:29 AM

I'm sorry it has taken so long to reply. I have almost given up on getting this fixed. Dr Web will not run and neither will f-secure.
when I click to install DrWeb the WinRAR comes up and says: Error encountered while performing the operation. Look at the information window for more detail.
The information window says: The archive is either in unknown format or damaged
With F-Secure, the page just won't properly load. The error details are as follows: Webpage error details

User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Timestamp: Thu, 21 Oct 2010 06:23:15 UTC


Message: Automation server can't create object
Line: 28
Char: 13
Code: 0
URI: http://download.sp.f-secure.com/ols/4.2/f-secure/rtm/fsols/launch/script/fs_xml.js


Message: Object required
Line: 652
Char: 5
Code: 0
URI: http://www.f-secure.com/en_AU/security/security-lab/tools-and-services/online-scanner/


Message: Object required
Line: 493
Char: 13
Code: 0
URI: http://www.f-secure.com/en_AU/security/security-lab/tools-and-services/online-scanner/

Nothing seems to work. I haven't backed anything up of it before, would it be safe to do so with a virus on it, and then just reboot the computer. I'm running out of patience. Nothing seems to be working. I had to delete S&D and Super Anti-Spyware because now my computer is saying it has no free space on C Drive, but really the only things running on C are windows programs, could this be part of the problem too? Are there any exe programs I should be watching out for?
Google still won't auto suggest and black board still won't work, but works on all of my other computers.
And of course random webpages keep popping up.
Please if you have any further insight it would be greatly appreciated.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:26 PM

Posted 21 October 2010 - 10:16 AM

Uggh, let's see ... What does it show for space.
Click My Computer,mouse over C drive image. What is the Total and Free space?

UPDATE and Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

If you want to consider Reformatting. 2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 miss.charli

miss.charli
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 23 October 2010 - 09:56 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4511

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

24/10/2010 12:48:45 PM
mbam-log-2010-10-24 (12-48-45).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 208007
Time elapsed: 1 hour(s), 29 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.



My C: Drive total space is 9.76GB with 183MB Free.

Still no real changes. Any other suggestions before reformatting?

#14 miss.charli

miss.charli
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 24 October 2010 - 12:56 AM

Hi sorry, I forgot to update beforehand, this is the new log after the update.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

24/10/2010 2:30:43 PM
mbam-log-2010-10-24 (14-30-43).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 213414
Time elapsed: 1 hour(s), 30 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\winwwin.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GD6BK1ER\app[1].exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:26 PM

Posted 24 October 2010 - 12:09 PM

Hello,Your drive is almost full. Are there any programs or things you definately do not need and can remove?

We are finding a load of backdoor infections. These trojans and bots allow hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall


To continue to clean we need to run these next:
Please run the tool here How to remove Google Redirects

When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


Download FakeAlert Stinger and save to desktop.
Ddouble-click the Stinger application you saved to your desktop.

NOTE: If you are a Windows 7 or Windows Vista user, right-click and select Run As Administrator

If a security warning is displayed, click Yes or Run.
By default the C: drive is scanned. Click Add or Browse to add additional drives/directories.
Click Scan Now. By default, Stinger repairs all infected files found.



Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Edited by boopme, 24 October 2010 - 12:11 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users