Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IRC not working Vista32, Trojan.BHO,Trojan.Vundo, Adware.MyWebSearch, Worm.KoobFace,


  • Please log in to reply
11 replies to this topic

#1 ProfB

ProfB

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 18 March 2011 - 06:39 PM

I'm running windows Vista Home Premium 32bit SP2 on a Toshiba Satellite L305D laptop. I'm connected to the internet via VZaccess Manager's version for a Verizon MIFI2200 wireless wifi device on wireless 3G connection. Using built in Atheros AR5007EG Wireless Network Adapter. I have AVAST free version, MalwareByes AntiMalware and I noticed a McAfee virus scanner was already installed.

I do not have the ability to take the computer back to factory settings because my family member seem to have misplaced the discs. I am trying to get a family members computer running correctly. I have removed many programs/toolbars for the web browsers that were bulking up the view and not needed.

Then I went on to get IRC working. I'm getting a 10060 error when trying to connect to any IRC server using multiple programs. I've tried to reset TCP/IP, Windows Socket, and Windows Firewall. I've also tried to connect to IRC with firewall completely turned off.

I used these commands while in "elevation." I'v tried them in different order with and without rebooting in between and many ipconfig reset/renews.

netsh int ip reset reset.txt
netsh winsock reset
netsh advfirewall reset

After all efforts left me with the same problem I decided to download AVAST free version which came up clean in full scan.

I *then rebooted to safe-mode with networking and downloaded MalwareBytes AntiMalware which produced the log below. Using google and the names of the infections found I was led to a website telling me to use combofix searching for combofix led me here. I have not installed combofix.

I assume I need to first focus on making sure all infections are completely clean. I can resume getting help with IRC if needed afterwards.

Hope you can help, thank you.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6100

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.19019

3/18/2011 5:00:31 PM
mbam-log-2011-03-18 (17-00-31).txt

Scan type: Full scan (C:\|)
Objects scanned: 274346
Time elapsed: 40 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 37
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{D518921A-4A03-425E-9873-B9A71756821E} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66D8FBA6-D90F-40A9-AC55-84896F79CA69} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66D8FBA6-D90F-40A9-AC55-84896F79CA69} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{66D8FBA6-D90F-40A9-AC55-84896F79CA69} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{66D8FBA6-D90F-40A9-AC55-84896F79CA69} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4D7B-9389-0F166788785A} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9FF05104-B030-46FC-94B8-81276E4E27DF} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_project.bho_object.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\mywebsearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
c:\Users\MawMaw\local settings\application data\0535049569854.xxe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\Users\MawMaw\local settings\application data\05554525610056.xxe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\Users\MawMaw\local settings\application data\0564998519954.xxe (Worm.KoobFace) -> Quarantined and deleted successfully.

Edited by ProfB, 18 March 2011 - 07:05 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:34 PM

Posted 18 March 2011 - 07:16 PM

Hello,ProfB
From the Blue text above this forum,good choice.
ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer.


McAfee virus scanner

?? is this an antivirus or something like HouseCall. If the first McAfee needs to be uninstalled.

Let's run these next and see if there is more.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


Now an Online scan.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


If after these and and you still cant use IRC...

There is, in fact, no MySQL error with that number. The actual error number is at the beginning of the message (i.e.: ERROR 2003: Can't connect to MySQL server (10060)").

See this>> L@@K
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 ProfB

ProfB
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 18 March 2011 - 07:22 PM

McAfee Security Scan Plus has been removed using the windows }Programs and features." I believe it was installed via built-in to the installation of another program.

Moving on to the rest of your post.

#4 ProfB

ProfB
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 18 March 2011 - 07:35 PM

I'm also doing all of this in safe-mode with networking. I'll check thread regularly to see if this is ok while I keep going on.

In safe-mode the TDSS Rootkit removal tool produced no infections.

Edited by ProfB, 18 March 2011 - 07:35 PM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:34 PM

Posted 18 March 2011 - 07:45 PM

I would prefer that these run from Normal if possible.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 ProfB

ProfB
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 18 March 2011 - 10:31 PM

TDSS still came up clean in normal boot.

ESET online:

C:\Users\MawMaw\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\2e8b8252-790ef5cc Java/TrojanDownloader.Agent.NBU trojan deleted - quarantined
C:\Users\MawMaw\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\43523b5e-4f75b62c multiple threats deleted - quarantined
C:\Users\MawMaw\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\33d3a28-2302e416 multiple threats deleted - quarantined
C:\Users\MawMaw\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\6e7bf668-65d2e508 multiple threats deleted - quarantined

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:34 PM

Posted 19 March 2011 - 09:32 AM

Hello, can you connect to IRC now.
What version of JAVA,if any, is running?
Go into Control Panel>Add Remove Programs. Be sure the 'Show Updates' box is checked. Go down the list and tell me what Java applications are installed and their version. (Highlight the program to see this).

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 ProfB

ProfB
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 19 March 2011 - 01:08 PM

IRC servers are being blocked by Verizon wireless just because they are easy to block. I ran a tracert and I get through about 15 hops then start timing out while still in my hometown. Did a search on Verizon Wireless blocking IRC and came up with loads of information.


Java™6 Update 6 (Sun Micro.) 5-5-2008
Java™6 Update 24 (Oracle) 3-18-2011 (This was installed by me probably because I use Chrome and was trying to connect to IRC through JAVA web apps)

-Just a rant, I've got a case of hives from allergic reaction and I'm a bit bored. lol
I have to say, for 1 gig of ram this computer was a very good and cheap buy for the person I purchased it for. It wasn't that slow over the last couple of days and now it's working even better. Thank you. They had it loaded with some type of program at fry's electronics that was eating up 100% of the ram trying to get me to buy a computer with 4gigs. Was such a hassle to walk out of the store with this computer. I stopped the process of the program that was obviously only there to cause the computer lag and it worked perfect. Told him i'd take it and he told me they had no more. I had to go to someone else in the store to even buy the computer. After I was done with that I spent about $3500 on building a high-end PC not including the Sharp Aquos and that guy trying to fool me missed out on all the commission. You gotta watch those places. They try fool people with settings to make a computer with less ram but faster technology seem slower than a computer they haven't been able to sell in a year.


MBAM came up clean. Since no rootkits were identified earlier I'm guessing we probably got everything and wont need to use a program like combofix. Still going to stick around for your advice though! Really appreciate your help.

#9 ProfB

ProfB
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 19 March 2011 - 01:13 PM

I'm going to have to find an alternate way to connect to IRC probably through VPN/SSH since I believe they are blocking the protocol and not the ports. I really can't see blocking IRC on wireless connections making a big impact. Sounds like some guy with a stick up his butt got his way about something and no one else knew what he was talking about. If they want to block something start with /b.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:34 PM

Posted 19 March 2011 - 03:22 PM

Hello, uninstall that,Java™6 Update 6, it can be exploited and reboot.
Start a new topic here,Web Browsing/Email and Other Internet Applications. I am sure some there with more knowledge on IRC connections can straighten this out.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 ProfB

ProfB
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 20 March 2011 - 02:59 PM

Alright, everything seems to be running normal and smoother. Appreciate your help. I started a thread before I figured out exactly why IRC wouldn't work. Now that I know it's the ISP actually blocking the protocol just to block it I'll have to find a way around it. Probably by ssh/vpn tunneling or possible a proxy.

Thank you!

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:34 PM

Posted 20 March 2011 - 03:17 PM

You're welcome !!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users