Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware "system tool"


  • This topic is locked This topic is locked
20 replies to this topic

#1 beablanche

beablanche

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vellinge, Sweden
  • Local time:05:50 PM

Posted 06 January 2011 - 11:19 AM

Dear colleagues - I've finished Your removal suite an I'm about to upload the result files:

attach.txt
DDS.txt
ark.txt (from GMER)

Hope this will be what's requested.
My user name is beablanche
My email address is xxxxxxx
My home page - http://beacon.se

Gratefully awaiting Your response at some excitement!
Kent Åsberg, Vellinge (Sweden).

Attached Files


Edited by teacup61, 06 January 2011 - 12:08 PM.
edited out e-mail address.

Problem: Got the 'system tool' malware :(
Computer: hp Compaq dx2000 MT
Motherboard: dx2000M/p3.0E/80bwf/512F/4
Memory: DDR 2.5 GB
OS: XP Pro Sp3 Antivirus sw: AVG

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:50 AM

Posted 06 January 2011 - 12:10 PM

Hello Kent ,

Posted Image

Navigate to this folder in bold and delete it: c:\documents and settings\all users\application data\kkcoa01822

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. IF YOU USE AVG IT MUST BE UNINSTALLED OR THIS WILL NOT RUN.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to kent.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 beablanche

beablanche
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vellinge, Sweden
  • Local time:05:50 PM

Posted 07 January 2011 - 05:42 AM

Thanks - the file in bold now deleted (a folder including two files).

Combofix message on start attempt:

"Combofix cannot run when AVG is installed.
This is due to AVG's targeting of ComboFix's files/processes.

Please uninstall AVG or use another tool
"

I,ve VAG 9 installed - tried to uninstall it and got this message:


"Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Access is denied.
"

---------------------------------------------------
Just wanted to do something, so I restarted in normal mode (wanted to try uninstalling VAG via control panel option in normal mode, hoping, that the virus wouldn't stop such an attempt).
Surprise (at least to me): No 'system tool' interface popped up, open office 97 displayed its vertical bar with options on the left side of the screen, VAG started immediately a (somewhat delayed) scheduled run (292,768 objects scanned at this very moment), Outlook Express operates OK again and soforth - decided to let AVG go on with its scanning.

So, I guess the primary reason for me being able to run in normal mode in a seemingly normal way must be the deletion of the file (eg folder including two files) that You advised me to do as the first step!

Still confused, though, about the messages reported above the dashed line from Combofix and the attempt to uninstall VAG!

Edited by beablanche, 07 January 2011 - 10:23 AM.

Problem: Got the 'system tool' malware :(
Computer: hp Compaq dx2000 MT
Motherboard: dx2000M/p3.0E/80bwf/512F/4
Memory: DDR 2.5 GB
OS: XP Pro Sp3 Antivirus sw: AVG

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:50 AM

Posted 07 January 2011 - 10:30 AM

Hello there,

Yes, the deletion of that folder, with the files inside, is the most important part of this. :thumbup2:

AVG doesn't play well with ComboFix, so that's why we always require it to be uninstalled.

Since you can run things now, let's try this rather than ComboFix and see what we get :

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 beablanche

beablanche
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vellinge, Sweden
  • Local time:05:50 PM

Posted 08 January 2011 - 07:38 AM

Thanks again, teacup61 - I've been unable to make contacts via Internet since last night - just when I was ready to post my report.
My broadband router seems to have crashed, so I´m running a mobile broadband (a kind card-based backup for the ordinary fixed broadband) at the moment.

The download of the Anti-Malware tool succeeded but the db update failed, so the run was made using their 1-2 weeks old db (This was done on Friday). The result was, however, rather helpful as it seems. Earlier today (Saturday), I made a new run targeting the whole computer, so I'll present both logs below:

---------------------------------------------------------------
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Databasversion: 5363

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2011-01-07 19:55:50
mbam-log-2011-01-07 (19-55-50).txt

Skanningstyp: Snabbskanning
Antal skannade objekt: 173036
Förfluten tid: 9 minut(er), 36 sekund(er)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 16
Infekterade registervärden: 0
Infekterade registerdataposter: 2
Infekterade mappar: 8
Infekterade filer: 8

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
HKEY_CLASSES_ROOT\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{1D4DB7D0-6EC9-47a3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\FunWebProductsInstaller.Start.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\FunWebProductsInstaller.Start (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8C788AA2-7530-43BE-97B7-4D491F13BEA3} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CntntCntr.CntntDic (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CntntCntr.CntntDic.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CntntCntr.CntntDisp (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CntntCntr.CntntDisp.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\HbCoreSrv.DynamicProp (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\HbCoreSrv.DynamicProp.1 (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\HostOL.MailAnim (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\HostOL.MailAnim (Adware.Hotbar) -> Quarantined and deleted successfully.

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Bad: (93.188.162.231,93.188.161.231) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0A768755-4B2E-4A0D-B630-4AEACEBEC7EF}\NameServer (Trojan.DNSChanger) -> Bad: (93.188.162.231,93.188.161.231) Good: () -> Quarantined and deleted successfully.

Infekterade mappar:
c:\documents and settings\administratör\application data\weatherdpa (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\administratör\application data\weatherdpa\Weather (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\administratör\application data\weatherdpa\Weather\weatherdpa (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\administratör\application data\weatherdpa\Weather\weatherdpa\weather_xml (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\Program\funwebproducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\Program\funwebproducts\Installr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\Program\funwebproducts\Installr\2.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start-meny\Program\Seekmo (Adware.Seekmo) -> Quarantined and deleted successfully.

Infekterade filer:
c:\Program\funwebproducts\Installr\2.bin\F3EZSETP.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\documents and settings\administratör\application data\weatherdpa\Weather\weatherstartup.xml (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\Program\funwebproducts\Installr\2.bin\F3PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\Program\funwebproducts\Installr\2.bin\NPFUNWEB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start-meny\Program\Seekmo\reset cursor.lnk (Adware.Seekmo) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start-meny\Program\Seekmo\seekmo customer support center.lnk (Adware.Seekmo) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start-meny\Program\Seekmo\seekmo uninstall instructions.lnk (Adware.Seekmo) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start-meny\Program\Seekmo\Weather.lnk (Adware.Seekmo) -> Quarantined and deleted successfully.
----------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Databasversion: 5363

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

2011-01-08 10:15:50
mbam-log-2011-01-08 (10-15-50).txt

Skanningstyp: Fullständig skanning (C:\|D:\|G:\|H:\|)
Antal skannade objekt: 343713
Förfluten tid: 34 minut(er), 41 sekund(er)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 0
Infekterade registerdataposter: 0
Infekterade mappar: 0
Infekterade filer: 26

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
(Inga illasinnade poster hittades)

Infekterade mappar:
(Inga illasinnade poster hittades)

Infekterade filer:
c:\masm32\DIALOGS\CALENDER\CALENDER.EXE (Trojan.Kates) -> Quarantined and deleted successfully.
c:\masm32\DIALOGS\SIMPLE\SIMPLE.EXE (Malware.Packer) -> Quarantined and deleted successfully.
c:\masm32\DIALOGS\TESTS\TESTS.EXE (Trojan.Kates) -> Quarantined and deleted successfully.
c:\Program\windows live\messenger\msimg32.dll (PUP.FunWebProducts) -> Not selected for removal.
d:\bildredigering\mywebface.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
d:\GUN2_F\masm32\DIALOGS\CALENDER\CALENDER.EXE (Trojan.Kates) -> Quarantined and deleted successfully.
d:\GUN2_F\masm32\DIALOGS\SIMPLE\SIMPLE.EXE (Malware.Packer) -> Quarantined and deleted successfully.
d:\GUN2_F\masm32\DIALOGS\TESTS\TESTS.EXE (Trojan.Kates) -> Quarantined and deleted successfully.
d:\masm32\examples\dialogs\calender\calender.exe (Trojan.Kates) -> Quarantined and deleted successfully.
d:\masm32\examples\dialogs\simple\simple.exe (Malware.Packer) -> Quarantined and deleted successfully.
d:\masm32\examples\dialogs\simple2\simple2.exe (Malware.Packer) -> Quarantined and deleted successfully.
d:\masm32\examples\dialogs\tests\tests.exe (Trojan.Kates) -> Quarantined and deleted successfully.
d:\masm32\examples\exampl05\qeplugin\qeplugin.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
d:\masm32\examples\exampl06\regdemo\regdemo.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
d:\masm32\examples\exampl07\rclkmenu\rclkmenu.exe (Malware.Packer) -> Quarantined and deleted successfully.
d:\masm32\examples_bu\dialogs\calender\calender.exe (Trojan.Kates) -> Quarantined and deleted successfully.
d:\masm32\examples_bu\dialogs\simple\simple.exe (Malware.Packer) -> Quarantined and deleted successfully.
d:\masm32\examples_bu\dialogs\simple2\simple2.exe (Malware.Packer) -> Quarantined and deleted successfully.
d:\masm32\examples_bu\dialogs\tests\tests.exe (Trojan.Kates) -> Quarantined and deleted successfully.
d:\masm32\examples_bu\exampl05\qeplugin\qeplugin.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
d:\masm32\examples_bu\exampl06\regdemo\regdemo.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
d:\masm32\examples_bu\exampl07\rclkmenu\rclkmenu.exe (Malware.Packer) -> Quarantined and deleted successfully.
d:\masm32\icztutes\tute03\win.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
d:\masm32\icztutes\tute10-2\dialog.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
d:\masm32\tools\makecimp\vcrtdemo\vcrtdemo.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
d:\masm32\tutorial\dlltute\dll\dlltute.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Although I choose the english language, the program seems to prefer swedish :) so here are some clues:
skanningstyp - type of scan; infekterade - infected (minnesprocesser - memory processes; minnesmoduler - memory modules; registernycklar - register keys; registervärden - register values; registerdataposter - register data entries; mappar - folders; filer - files;
(Inga illasinnade poster hittades - no 'mean' (hope that was correct) entries were found)
:-

I also had a box popping up with an error report prepared by Windows, but it was not possible to send it. It coninued popping up but since I started the mobile broadband, there was no problem sending it. The contents seemed to be in very general terms about something corrected by Windows.

Kent

Edited by beablanche, 08 January 2011 - 07:40 AM.

Problem: Got the 'system tool' malware :(
Computer: hp Compaq dx2000 MT
Motherboard: dx2000M/p3.0E/80bwf/512F/4
Memory: DDR 2.5 GB
OS: XP Pro Sp3 Antivirus sw: AVG

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:50 AM

Posted 09 January 2011 - 07:37 AM

Hi Kent,

I can read the logs no matter what language they're in, so no problem. Thank you for translating for me. :thumbup2:

How is it running now please? Are you still redirected?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 beablanche

beablanche
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vellinge, Sweden
  • Local time:05:50 PM

Posted 10 January 2011 - 03:02 PM

Your site is a very welcome experience to me. Searching the net for answers to hw- as well as sw-questions and problems use to take quite a lot of work and has helped me on one or two rare occasions in the 90's and early part of this century.
I sent Your special invitation link to my 11 Facebook friends - 2 of them have already returned an 'I like' mark :)


In the bleepingcomputer community questions and problems in a variety of fields in the computing seem to have an answer or solution.

After having some progress today with a few cleansing actions - running anti-malware on my xp-computer (this computer) and on my two win98-computers - applying a solution (that I got from stumbling on it at Your site yesterday) to the problem of the very much alive looking broadband router but not letting me out to the net, I've now put away the mobile backup broadband equipment and connected to the net wia that router :)
The procedure applied: Close down the mobile equipment, turn on the router, in the command prompt do "ipconfig, release" and "ipconfig, renew". I knew about this procedure before and tried it the other day after being allowed to do so by my provider, but nothing worked at that occasion.


The pop ups with Windows prepared error reports have stopped - guess they were more than one because when I the night before ysterday went on and on trying to send them, the popping up eventually stopped. The Windows symbol for installing new corrections popped up and there were slightly more than 20 of them - after running those there were no more pop ups until yesterday and then there was only one new Windows corr install! Right now there is no update waiting.

There are two entries in the first one of the mbam logs that makes me wonder a lot - these two entries:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Bad: (93.188.162.231,93.188.161.231) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0A768755-4B2E-4A0D-B630-4AEACEBEC7EF}\NameServer (Trojan.DNSChanger) -> Bad: (93.188.162.231,93.188.161.231) Good: () -> Quarantined and deleted successfully.

I moved to a web hotel 3 months ago and the repointing of the domain name to new dns servers seem to have puzzled my broadband provider at accasions since ...
If You have a comment, I'd be grateful.

Kent


Edited by beablanche, 10 January 2011 - 03:05 PM.

Problem: Got the 'system tool' malware :(
Computer: hp Compaq dx2000 MT
Motherboard: dx2000M/p3.0E/80bwf/512F/4
Memory: DDR 2.5 GB
OS: XP Pro Sp3 Antivirus sw: AVG

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:50 AM

Posted 12 January 2011 - 07:54 PM

Hi Kent,

Thank you for the kind words. :inlove:

I could not really get a clear idea.....are you being redirected still?

Yes, those entries that were deleted by MBAM are/were part of your problems. We'll get it taken care of. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 beablanche

beablanche
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vellinge, Sweden
  • Local time:05:50 PM

Posted 14 January 2011 - 05:21 PM

tea,

I'm a bit confused about Your question about redirects - Yes I've had redirects now and then for a while, but more before the 'system tool' presented itself. The addresses shown then were mostly of the kinds:
epoclick.com or google.com. Now that I've consulted the net about the concept redirect, i've been aware of that such redirects might result from malware. The two kinds of redirect that I had seem to have stopped in connection with our preventive activities, but there has been occasions when some kind of 'web page not found' or similar response have occured - a few of them yesterday, when I was trying to address the web site
http://jigsaw.w3.org/css-validator/validator?uri=http%3A%2F%2Fbeacon.se%2Findex.html or just http://jigsaw.w3.org/css-validator/
Trying these URLs a short while ago (when writing this post) did not result in any error, though.

Anti-Malware now lets me download the dbs OK , which did not succeed the other day as You might remember. The last complete scan on the C disk was made today after downloading db 5519 and there was no remarks at all, except for:
c:\Program\windows live\messenger\msimg32.dll (PUP.FunWebProducts) -> Not selected for removal.
which I now have listed in the ignorelist.

Is there a more direct way to try to make these redirects to occur, so I can write down what happens (could even take a screen copy (bmp or png) of what will show)?

Hoping Your kind patience with my case hasn't completely ceased :)
Kent

Edited by beablanche, 14 January 2011 - 05:25 PM.

Problem: Got the 'system tool' malware :(
Computer: hp Compaq dx2000 MT
Motherboard: dx2000M/p3.0E/80bwf/512F/4
Memory: DDR 2.5 GB
OS: XP Pro Sp3 Antivirus sw: AVG

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:50 AM

Posted 27 January 2011 - 11:16 PM

Nope.....still here. Sorry for my delay.:(

I would really like to have a scan with ComboFix....that would clear up the majority of the problems, if not all. AVG does have a removal tool.....have you tried it? If so....Try turning off AVG and running ComboFix in Safe Mode, if it won't uninstall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 beablanche

beablanche
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vellinge, Sweden
  • Local time:05:50 PM

Posted 28 January 2011 - 11:23 AM

Hi tea, love to see You :flowers: back and in action - take it that You got well.

No way to deactivate AVG and no way to uninstall it via control panel, so thanks to Your tip, I could download the removal tool, the existance of which I did not know.
So, running in safe mode with network I removed AVG. When I started ComboFix, I was offered a newer version, which I accepted. It was a joy to run such a presumably powerful tool. The text printouts as well as the log texts are in swedish, but I'm sure You'll manage to read it!
Then I managed to locate and download AVG to reinstall and I got their newest version, AVG2011. To install it, I was adviced to return to normal mode. All went well and the initial scan is up and running right now - more than 800 000 objects scanned so far!

Hoping that I managed to attach the log OK - please tell me if not!
cu
Kent

Attached Files


Problem: Got the 'system tool' malware :(
Computer: hp Compaq dx2000 MT
Motherboard: dx2000M/p3.0E/80bwf/512F/4
Memory: DDR 2.5 GB
OS: XP Pro Sp3 Antivirus sw: AVG

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:50 AM

Posted 28 January 2011 - 12:41 PM

Hi Kent,

Excellent! :thumbsup: Yes, the log did attach properly, and I've looked it over. :)

Has your scan finished yet? I'd like to know what it reported. I'm sure there will be quite a lot. I would also like to have a quick scan in normal mode with MBAM, please.

After all this, are you still being redirected?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 beablanche

beablanche
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vellinge, Sweden
  • Local time:05:50 PM

Posted 28 January 2011 - 05:18 PM

Hi there, tea sorry about my misuse of this interface - haven't quite learnt to use it yet!

The attachments are png-images of reports from the AVG scan - coldn't find a text file interface like in mbam but hope this will do!

The mbam from the quick mbam scan:
------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Databasversion: 5616

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2011-01-28 19:28:13
mbam-log-2011-01-28 (19-28-13).txt

Skanningstyp: Snabbskanning
Antal skannade objekt: 181596
Förfluten tid: 4 minut(er), 45 sekund(er)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 0
Infekterade registerdataposter: 0
Infekterade mappar: 0
Infekterade filer: 0

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
(Inga illasinnade poster hittades)

Infekterade mappar:
(Inga illasinnade poster hittades)

Infekterade filer:
(Inga illasinnade poster hittades)
------------------------------------------------------------------------------------------------------------------
So, those reports were not so large. In the AVG report a couple of files were mentioned which were fetched from one of my win98 computers years ago!
Hope this will be OK

Added 07:05 2011-01-29
I´ll look out for eventual redirect events for a couple of days and be back here for some comment on whether there have been any. The epoclick and google redirects have definitely ceased to show for quite a while (weeks) now.

Kent

Attached Files


Edited by beablanche, 29 January 2011 - 01:06 AM.

Problem: Got the 'system tool' malware :(
Computer: hp Compaq dx2000 MT
Motherboard: dx2000M/p3.0E/80bwf/512F/4
Memory: DDR 2.5 GB
OS: XP Pro Sp3 Antivirus sw: AVG

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:50 AM

Posted 29 January 2011 - 02:55 PM

Do you use this? Something you added by choice? Search the web (Babylon)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 beablanche

beablanche
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vellinge, Sweden
  • Local time:05:50 PM

Posted 30 January 2011 - 01:39 AM

Hi there, tea,
No, I did'nt choose it - it was suddenly there on top of the screen when running IE8!
I'm not using it and I thought I'd managed to get rid of it - tried some link to radio stations but did'nt get any response!

Added 13:02 2011-01-30:
Found some more from AVG - the virus Vault. As the only text-alike output from AVG seems to be a .cvg file (not allowed to upload here), I splitted the report into 3 .png-image parts and zipped those into the attached file. Besides the 3 items reported before, there were some cookie-warnings and two 'infected'-items, one of which was stored into the vault as late as 2011-01-10!

Attached Files


Edited by beablanche, 30 January 2011 - 07:03 AM.

Problem: Got the 'system tool' malware :(
Computer: hp Compaq dx2000 MT
Motherboard: dx2000M/p3.0E/80bwf/512F/4
Memory: DDR 2.5 GB
OS: XP Pro Sp3 Antivirus sw: AVG




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users