Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

popup MBAM blocking malicious sites


  • This topic is locked This topic is locked
7 replies to this topic

#1 woodstock jim

woodstock jim

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 28 January 2012 - 02:11 PM

Computer continually pops up a message that Malware bytes successfully prevented a program from accessing a potentially malicious site and then lists the site address which changes with each instance.

In prepping the computer DDS runs for about 4-5 minutes posting cross hatches but then freezes. I have successfully run malware bytes and remove 20 or so trojans, viruses etc from the laptop.
Any ideas how to proceed from here?
Thanks
Jim

Edited by hamluis, 28 January 2012 - 03:32 PM.
No logs, moved from Malware Removal Logs to Am I Infected.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:03 PM

Posted 28 January 2012 - 09:11 PM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report



Please download GMER from here(doesnot work on 64 bit OS)

http://www2.gmer.net/download.php

Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.


Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

#3 woodstock jim

woodstock jim
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 29 January 2012 - 09:16 AM

I cannot get TDSS to run on the infected machine. I downloaded it, saved to a memory stick, moved it the the infected machines desktop and cannot get it to run from there.

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:03 PM

Posted 29 January 2012 - 09:26 AM

Rootkit is blocking it seems.

Can you run the gmer and aswmbr ?

#5 woodstock jim

woodstock jim
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 29 January 2012 - 09:36 AM

Yes here is the gmer log
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-29 09:32:27
Windows 5.1.2600 Service Pack 3
Running: hwy1q4me.exe; Driver: C:\DOCUME~1\CLIFFW~1\LOCALS~1\Temp\pwrdyfob.sys


---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Application Data\Microsoft\Internet Explorer\UserData\2RFA5OHE\meebo[1].xml 96 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[2].txt 609 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@t.pointroll[2].txt 83 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@tap.rubiconproject[2].txt 84 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@tap2-cdn.rubiconproject[1].txt 509 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@us-ads.openx[2].txt 109 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@v8juice[2].txt 341 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@w55c[1].txt 1110 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt 363 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@hrblock[2].txt 227 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@www.lexus[1].txt 102 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@www.mevio[2].txt 279 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@yumenetworks[2].txt 494 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@lexus[2].txt 578 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@mevio[2].txt 926 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@pixel.rubiconproject[1].txt 452 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@pointroll[1].txt 167 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3170324400 0 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816 0 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\bckfg.tmp 854 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\cfg.ini 240 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\keywords 117 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\L 0 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\L\pavtnywh 162816 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\oemid 21 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\U 0 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\U\80000032.@ 73216 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\version 854 bytes

---- EOF - GMER 1.0.15 ----

Working on the other one now

#6 woodstock jim

woodstock jim
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 29 January 2012 - 09:43 AM

aswmbr will not run either

#7 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:03 PM

Posted 29 January 2012 - 09:49 AM

You're infected by zero access rootkit and you may have INFECTED MBR too.

Read the guide here(skip if you cant run any tool)

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Mention that you're not able dds & TDSSkiller.you can post the GMER log

Good luck

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:03 AM

Posted 29 January 2012 - 05:53 PM

Malware topic here: http://www.bleepingcomputer.com/forums/topic440435.html

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MR Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users