Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD & Pop-up Ad at bottom of left & right of webpages


  • Please log in to reply
8 replies to this topic

#1 dreamalife

dreamalife

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 04 August 2013 - 01:18 AM

Hi, I'm using Windows 7, IE 9, & free AVG 2013. AVG detected a threat & removed it as usual, but with this threat, AVG requires my PC to restart. After I restarted, I started to have pop-up ad at the bottom of left & right of webpages when I surf. After an hour, everything is gone but a blue screen popping up with messages & then the PC will restart itself.

 

I tried to do system restore, it didn't work. I scanned with AVG, came out clean. I deleted the temporary files, histories & cookies under Tool in IE. I unchecked system protection/restore & then started the PC in Safe Mode. I scanned it with Malwarebytes till there was nothing anymore. I also used CCleaner to clean up the Registry. But the problem still persist, please help me on this.

 

I had similar thing happened in the past where I got advice to manually remove the infected file which was hiding in folders which worked because I got the name of the infected file, I can't remember the steps anymore.

 



BC AdBot (Login to Remove)

 


#2 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:06 PM

Posted 04 August 2013 - 02:53 AM

:welcome:

 

Let's have a look...

 

:step1: Run Rkill http://www.bleepingcomputer.com/forums/t/308364/rkill-what-it-does-and-what-it-doesnt-a-brief-introduction-to-the-program/

 

       Note: Sometimes AV's thinks Rkill is infected, this isn't true, it's just a false-positive. Just let it terminate the malware processes. 

 

:step2:  Running TDSSKiller to obtain log

 

Note: Don't cure or delete a threat, but choose skip for all instead.

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters

tds2.jpg

  • In the Additional options: Check Detect TDLFS file system
  • Click Start Scan and allow the scan process to run

tds4-1.jpg

  • Choose for all threats to Skip for all of them.
  • Click Continue
  • Please post the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)

===================================================

 

:step3: ESET Online Scanner

==================

Note: If your AV is blocking Eset online scanner, please temporarily disable your AV.

 

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and » UNCHECK "Remove found threats" <== Important
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. (If no malware was found you will not be presented with a log).
  • Click the Back button.
  • Click the Finish button.

===================================================


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#3 dreamalife

dreamalife
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 04 August 2013 - 07:21 PM

Hi, thanks for responding.

 

I can't find the TDSSKiller.[Version]_[Date]_[Time]_log.txt in my root directory nor on my desktop where I TDSSKiller Rootkit Removing Tool. I'm typing what I see here:-

 

There are unprocessed malware objects

Duration: 00:00:58

Processed: 441 objects, details

Found: 2 threats

Neutralized: 0 threats

Quarantined: 0 objects

 

When I clicked on the details, these are what I saw:-

 

Event                    Objects

---------------------------------------------------------------------

Suspicious            \Device\Harddisk0\DR0 ( Rootkit.Win32.BackBoot.gen )

Infected                 \Device\Harddisk0\DR0\Partition1 ( Rootkit.Boot.Cidox.b )

Skipped by user    \Device\Harddisk0\DR0 ( Rootkit.Win32.BackBoot.gen )

Skipped by user    \Device\Harddisk0\DR0\Partition1 ( Rootkit.Boot.Cidox.b )

 

 

For Eset Online Scanner, this is what I got:-

 

C:\Program Files (x86)\UtilityChest_49\bar\1.bin\49datact.dll a variant of Win32/Toolbar.MyWebSearch.A application
C:\Program Files (x86)\UtilityChest_49\bar\1.bin\49htmlmu.dll probably a variant of Win32/Toolbar.MyWebSearch.B application
C:\Program Files (x86)\UtilityChest_49\bar\1.bin\49ieovr.dll probably a variant of Win32/Toolbar.MyWebSearch.P application
C:\Program Files (x86)\UtilityChest_49\bar\1.bin\49Plugin.dll probably a variant of Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\UtilityChest_49\bar\1.bin\49skin.dll a variant of Win32/Toolbar.MyWebSearch.P application
C:\Program Files (x86)\UtilityChest_49\bar\1.bin\T8HTML.DLL probably a variant of Win32/Toolbar.MyWebSearch.F application
C:\Users\User 7\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\3a917adb-4520cf16 Java/TrojanDownloader.OpenStream.NDA trojan
C:\Users\User 7\Downloads\avc-free.exe Win32/OpenCandy application
C:\Users\User 7\Downloads\cnet2_avc-free_exe.exe a variant of Win32/InstallCore.D application
C:\Users\User 7\Downloads\keepvid_1.142_setup.exe a variant of Win32/InstallCore.AG application
C:\Users\User 7\Downloads\MJSSetup.exe multiple threats
C:\Windows\winsxs\amd64_microsoft-windows-autochk_31bf3856ad364e35_6.1.7600.16385_none_3de8def0db722996\autochk.exe a variant of Win32/CompuTrace.B application

 



#4 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:06 PM

Posted 05 August 2013 - 03:45 AM

:step1: Backdoor/Rootkit warning: BackBoot.gen

 

This computer is infected with a rootkit called  BackBoot.gen. You will need to change all passwords after this and pay attention to do not homebanking. Don't use the machine now for other goals then malware removal.

 

:step2: Rerun TDSSKiller This time: Cure >> BackBoot.gen

 

Note: The tool may ask to reboot.

 

:step3: Rerun TDSSKiller, the rootkit should be gone. 


Edited by GodfatherKing, 05 August 2013 - 03:46 AM.

If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#5 dreamalife

dreamalife
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 05 August 2013 - 08:31 AM

The only options I got are Skip, Copy to quarantine, & Restore. I don't have the Cure option for Rootkit.Win32.BackBoot.gen. What can I do to cure/remove this?

 

Then I've the Cure option for Rootkit.Boot.Cidox.b, do I select cure for this also?

 

Thanks.



#6 dreamalife

dreamalife
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 05 August 2013 - 08:39 AM

I selected Copy to quarantine for BackBoot.gen & selected Cure for Cidox.b. After PC reboot & scanned with TDSSKiller, no more threats are found, I guess my PC is virus free now? Thanks a lot!



#7 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:06 PM

Posted 05 August 2013 - 09:29 AM

I would run ESET again and this time check "Remove found threats".

==

 

:step1: My advice is to keep your computer up to date with Windows Updates, Java and Adobe Reader and Flash Player.

 

:step2: Use WOT to inspect sites if they are safe or not :http://www.mywot.com/

 

:step3: A good working AntiVirus is also important. I personally advice Avast free or Avira. MSE it's detection is not so great.

 

:step4: Let's check how good your security is:

 

Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#8 dreamalife

dreamalife
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 06 August 2013 - 06:12 AM

Ok, I ran Eset again & removed the threats. Uninstalled AVG 2013 free & installed Avast 2013 free. Downloaded & ran the SecurityCheck, the result is this:-

 

Results of screen317's Security Check version 0.99.71 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````

 Windows Firewall Enabled! 
avast! Antivirus  
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Adobe Reader 9 Adobe Reader out of Date!
 Mozilla Firefox (Firefox.)
````````Process Check: objlist.exe by Laurent```````` 
 AVG avgwdsvc.exe
 AVAST Software Avast AvastSvc.exe 
 AVAST Software Avast AvastUI.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 2%
````````````````````End of Log``````````````````````

 

So, I guess I'm really virus free this time :P & with a better antivirus :bananas:. Thank :bowdown: you, you're the best :thumbup2:!


Edited by dreamalife, 06 August 2013 - 06:13 AM.


#9 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:06 PM

Posted 06 August 2013 - 06:23 AM

That's a good choice, I also have Avast free. I scan every month. 

 

:step1: Update Adobe reader

 

http://get.adobe.com/reader

 

:step2: Keep MBAM as on-demand scanner, other tools may be removed. Run every month a scan with MBAM and Avast.

 

:step3: As browser I use Chrome or Firefox. Because IE is more vulnerable to infections, + HTML 5 & CSS 3 (technology that webdesigners/programmers use) are displayed better in Firefox and Chrome.

 

:warrior: Happy and safe browsing again. 


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users