Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AOL Webmail requiring credit card and PIN information


  • Please log in to reply
5 replies to this topic

#1 efrost

efrost

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 13 July 2011 - 10:28 AM

I obviously caught something on one of my computers. It's an XP system and everytime I try to log into AOL, after entering my password, a window comes up asking for credit card and PIN information which is obviously not from AOL. I've tried multiple avenues to remove this virus/trojan with AVG, microsoft security essentials, & malwarebytes, but everything comes up clean, whether run in full mode or safe mode. I get the same issue when using IE or Firefox.
AOL recommends to log into www.aol.com and go from there, but that doesn't change anything.
Anyone know how to remove this annoying issue?
Thanks in advance for any help.. this is driving me up a wall as I can't see any easy method to remove it.. don't even know what it's called, but whoever created it has done a great job of avoiding its removal.

efrost

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:24 AM

Posted 13 July 2011 - 11:26 AM

Please download aswMBR.exe and save it to your Desktop.
  • Double click on aswMBR.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Scan button to start scan.

    Posted Image
  • On completion of the scan click, click the Save log button and save it to your Desktop.
  • Do not select any Fix options at this time.
  • Copy and paste the contents of that log in your next reply.
-- Important note: Upon the first run, aswMBR will back up the MBR and save it to the Desktop as MBR.dat. Do not delete this file unless advised.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 efrost

efrost
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 13 July 2011 - 03:37 PM

Thank you for helping out with this.. here is the log:

aswMBR version 0.9.7.707 Copyright© 2011 AVAST Software
Run date: 2011-07-13 15:44:55
-----------------------------
15:44:55.656 OS Version: Windows 5.1.2600 Service Pack 3
15:44:55.656 Number of processors: 4 586 0x1707
15:44:55.656 ComputerName: ELVIN UserName:
15:44:56.343 Initialize success
15:46:03.562 AVAST engine defs: 11071301
15:46:12.000 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-7
15:46:12.000 Disk 0 Vendor: WDC_WD3200AAKS-00B3A0 01.03A01 Size: 305245MB BusType: 3
15:46:12.000 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-1f
15:46:12.000 Disk 1 Vendor: WDC_WD3200AAKS-00B3A0 01.03A01 Size: 305245MB BusType: 3
15:46:14.015 Disk 0 MBR read successfully
15:46:14.015 Disk 0 MBR scan
15:46:14.015 Disk 0 unknown MBR code
15:46:14.031 Disk 0 MBR hidden
15:46:16.031 Disk 0 scanning sectors +625137345
15:46:16.062 Disk 0 malicious Win32:MBRoot code @ sector 625137348 !
15:46:16.062 Disk 0 PE file @ sector 625137370 !
15:46:16.062 Disk 0 MBR [Win32:MBRoot] **ROOTKIT**
15:46:16.062 Disk 0 trace - called modules:
15:46:16.062 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a55cb30]<<
15:46:16.062 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b2bc030]
15:46:16.078 3 CLASSPNP.SYS[b8188fd7] -> nt!IofCallDriver -> \Device\000000ac[0x8b2b9e98]
15:46:16.078 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-7[0x8b26e940]
15:46:17.390 AVAST engine scan C:\WINDOWS
16:12:05.812 AVAST engine scan C:\Documents and Settings\Elvin Frost
16:26:31.750 AVAST engine scan C:\Documents and Settings\All Users
16:31:07.671 Scan finished successfully
16:35:44.562 Disk 0 MBR has been saved successfully to "\\Notebook\Nexlink Notebook C\Test\MBR.dat"
16:35:44.656 The log file has been saved successfully to "\\Notebook\Nexlink Notebook C\Test\aswMBR.txt"

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:24 AM

Posted 13 July 2011 - 09:07 PM

Rerun aswMBR.exe again.
  • Click the Scan button.
  • On completion of the scan, click the [Fix] for TDL4 (MBRoot) or [FixMBR] for Whistler (button select as appropriate) as shown here.
  • Wait for the tool to report 'Infection fixed successfully', then reboot the machine.
  • Rebooting the machine prematurely, before seeing this line will result in an incomplete fix.
  • Save the log as before and post in your next reply.
Note: After the 'Infection fixed successfully' message appears, the machine may became unresponsive as a side effect from the fix. If that is the case, you may have to do a hard boot of your machine.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 efrost

efrost
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 14 July 2011 - 09:02 AM

Looks like I'm all set now.. thank you sir for your help!

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:24 AM

Posted 14 July 2011 - 11:01 AM

You're welcome.

I recommend to follow up with an online scan to see if it finds anything else that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
  • If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
  • Vista/Windows 7 users need to run Internet Explorer/Firefox as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser and allow the download/installation of any require files.
  • Under scan settings, check Posted Image and make sure that the option Remove found threats is NOT checked.
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click the Start button.
  • ESET will install itself, download virus signature database updates, and begin scanning your computer.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply. If no threats are found, there is no option to create a log.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users