Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

c:\Windows\aseembly\tmp\U\800000c0.@ --Trojan Agent


  • Please log in to reply
8 replies to this topic

#1 goods

goods

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 27 October 2011 - 10:48 AM

Hello and thanks for taking the time to read this.

Yesterday my computer started acting up and loading webpages by itself in FireFox. It also redirects me to sites I never intended on visiting.

I figured I had a virus or some sort of malware and ran a full scan of Malwarebytes.

Here are the results. I am using Windows Vista 64-bit.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8026

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

27/10/2011 11:18:48 AM
mbam-log-2011-10-27 (11-18-48).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 529450
Time elapsed: 1 hour(s), 23 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Backdoor.Agent) -> Value: Shell -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\assembly\tmp\U\800000c0.@ (Trojan.Agent) -> Quarantined and deleted successfully.

________________________________

Now, I've ran Malwarebytes twice and apparently it keeps coming back even though these things say successfully removed. I have rebooted my computer, by the way.

I've also ran Spybot and Temp File Cleaner by Oldtimer; not quite sure how or if necessary to post those logs.

Any help would be greatly appreciated.

Thanks again for your time,

A.P.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:55 PM

Posted 27 October 2011 - 02:36 PM

Hello. Lets look at the system and run 2 more scans.
Are you runnnings SpyBots Teatimer?

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (2.6.11.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. [color=green]In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.


Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/


  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • Super should automatically update the program definitions. If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
  • Close SUPERAntiSpyware.
Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

  • Open SUPERAntiSpyware.
  • Click on "Preferences" button.
  • Click the "Scanning Control" tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
  • Click the "Home" button to leave the control center screen.
  • Back on the main screen checkmark "Complete scan" and click "Scan your computer".
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Copy and paste the Scan Log results in your next reply with a new HijackThis log.
  • Click Close to exit the program.

Post SUPERAntiSpyware log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 goods

goods
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 27 October 2011 - 07:55 PM

Hey, thanks a lot for the quick reply.

Edit: I'm using SpyBot Search and Destroy, not a clue what teatimer is.

Here are the logs I've managed to get. For some reason the SUPERAntiSpyware safe-mode scan crashed (just stopped running?) after an hour and I have to use my computer for some work so I will try again a bit later. I have no idea why it happened. I do have quickscan and will post it, maybe it will be of some use.

TDSSKiller

MiniToolBox

Wasn't asked for, but noticed it being posted on some threads.
GMER

Quick Scan SUPERAnti

Hopefully these links work, thanks again.

Edited by goods, 27 October 2011 - 07:57 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:55 PM

Posted 27 October 2011 - 08:53 PM

OK not much there and what was is remved.
Teatimer is a Hosts app for SpyBot.
I still want to reset yours.

Your HOSTS file may be infected.
Reset the HOSTS file
As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system.
Some types of malware will alter the HOSTS file as part of its infection. Please follow the instructions provided in How do I reset the hosts file back to the default?

To reset the hosts file automatically,go HERE click the Posted Image button. Then just follow the prompts in the Fix it wizard.


OR
Click Run in the File Download dialog box or save MicrosoftFixit50267.msi to your Desktop and double-click on it to run. Then just follow the promots in the Fix it wizard.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 goods

goods
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 27 October 2011 - 09:08 PM

I've ran the Fix it -- I'll assume the next step is running something like Malwarebytes again?

Thanks

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:55 PM

Posted 27 October 2011 - 09:25 PM

Yes update and run a Full
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 goods

goods
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 27 October 2011 - 10:56 PM

Malwarebytes Log

It appears to have worked!

The logs came back the same, but I haven't been having the redirect problem as of yet; hopefully they won't reappear.

Thank you so very much for being so helpful and giving me your time. The website you guys run here is truly an invaluable tool.

I will run another scan tomorrow and see if anything comes up.

Thanks again, boopme.
Cheers,

AP

#8 goods

goods
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 27 October 2011 - 11:41 PM

Ahhh, it's back. But I think I have a bit more information about it.

Windows keeps telling me (via pop-up) something 'Host' related has failed (I will screenshot it when it happens again) and then this pops-up afterward:

screenshot of Window's popup

I can't be certain, but I believe this Window's popup occured after I visted piratebay. Visiting piratebay prompted a popup for some online poker and then shortly after I noticed the redirecting started happening again.

Up until this point NO redirecting was occuring.

Edit: seems to be, I only get redirected when I visit a website THROUGH 'google'.

This is aggravating, I will run Fix it and Malwarebytes again in the mean time --and not go back to that website.

Thanks

Edited by goods, 27 October 2011 - 11:46 PM.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:55 PM

Posted 28 October 2011 - 02:01 PM

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users