Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

continuous attempts by http://iad-login.dotomi.com/


  • Please log in to reply
7 replies to this topic

#1 dgmabee

dgmabee

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 02 August 2015 - 11:09 AM

I have Windows 7 and run G Data Software for firewall and virus removal. It is constantly blocking a site per Message below:

 

Virus found while downloading content from the web.

Address: http://iad-login.dotomi.com/commonid/match?user_token=AQEHjJjxkZvrWAEBAQErAQEBAQE&rurl=http%3A%2F%2Fmedia%2Efastclick%2Enet%2Fw%2Fget%2Emedia%3Fsid%3D79568%26m%3D11%26vpaid%3D1%26refurl%3Dhttp%253A%252F%252Fmlb%2Ecom%252F%26vcpdid%3DAQEHjJjxkZvrWAEBAQErAQEBAQE%26no%5Fcj%5Fc%3D1%26ccs%5Fstatus%3D0&tok=rEikOzgb7js%3D
Status:  Access denied.

 

I have run the following programs in safe mode twice per Securitytango.com and I cannot get rid of these constant attempts my firewall is blocking. It makes my browser and computer come to a crawl.

Rkill

Unhide

TDSSkiller

Stinger

SuperAntiSpyware

Mawarebytes Anti Malware

G Data

 

How do I get rid of this??



BC AdBot (Login to Remove)

 


#2 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:03 PM

Posted 02 August 2015 - 11:13 AM

Scan with Malwarebytes AntiRootkit
 
Please download MBAR and save it to your desktop.
 
Run tool as Administrator, tool will extract itself, and then launch.
 
Click Next to accept terms and conditions, and click Update to obtain latest definitions.
 
If malware is found click on Cleanup button , but make sure that Create restore point option is checked before proceeding !
 
Program will ask you to restart, allow it to do so.
 
Note: If you're experiencing internet connection issues or other anomalies after running MBAR and removal of rootkits, it is recommended to run fixdamage.exe located inside mbar folder. Run it as Administrator and press Y if asks you do you want to continue.
 
Step 2
 
Scan with Norton Power Eraser
 
CAUTION: NPE uses aggressive methods to detect and remove malware,so do not touch any of settings !
 
Download NPE by Symantec and save it to your desktop.
 
Run the tool as Administrator,accept license agreement,and click  Scan button. 
 
Program will ask you to reboot to continue scanning (includes rootkit scan),so allow it to restart.
 
After restart program will automatically launch itself and start scanning. Scanning takes 5-10 minutes,so be patient !
 
If malware is detected,make sure that Create restore point option is checked,then click Fix button. After that,click on Restart now to complete removal.
 
Attach logs from Malwarebytes, TDSS Killer (located in C:\), and Rkill.


#3 dgmabee

dgmabee
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 03 August 2015 - 03:47 PM

Firehouse,

Thanks much!! I did above and problem appears fixed. MBAR found nothing. Unfortunately I got interrupted when running Norton Power Eraser and when I got back the computer the scan was done, no information in NPE but my G Data Total Security was scanning per the log below ( could not find any log for NPE).

 

AVA 25.2836
GD 25.5426

*** Process ***

Process: 3348
File name: npe.exe
Path: c:\users\dave\desktop\service\norton\npe.exe

Publisher: Symantec Corporation
Creation date: 08/02/15 21:22:21
Modification date: 08/02/15 21:22:22

Started by: services.exe
Publisher: Microsoft Windows


*** Actions ***

The program has changed values in the system registry that can be used to endanger the system.
The program is trying to create a startup item to launch a program automatically at system startup.
The program establishes a network connection.
The program is waiting for incoming network connections.
The program is recording keystrokes.
An unknown process was accessed.
The program has saved files in the system folder.
The program manipulates Windows Security Center settings.


*** Quarantine ***

The following files were moved into quarantine:
c:\users\dave\appdata\local\temp\jusched.log
c:\users\dave\appdata\local\trusteer\rapport\user\logs\sysinfo.1.log
c:\users\dave\appdata\local\trusteer\rapport\user\logs\sysinfo.2.log
c:\users\dave\appdata\local\trusteer\rapport\user\logs\sysinfo.3.log
c:\users\dave\appdata\local\trusteer\rapport\user\logs\sysinfo.4.log
c:\users\dave\appdata\local\trusteer\rapport\user\logs\sysinfo.5.log
c:\users\dave\appdata\local\trusteer\rapport\user\store\user\fsm_service_var_0.js.data
c:\users\dave\appdata\local\trusteer\rapport\user\store\user\fsm_service_var_1.js.data
c:\users\dave\appdata\local\trusteer\rapport\user\store\user\rapport_var_0.cfg.data
c:\users\dave\appdata\local\trusteer\rapport\user\store\user\rapport_var_1.cfg.data
c:\windows\prefetch\avktray.exe-4d7154e3.pf
c:\windows\prefetch\dllhost.exe-2e02fdca.pf
c:\windows\prefetch\dllhost.exe-4b6cb38a.pf
c:\windows\prefetch\googleupdate.exe-0e1e7b82.pf
c:\windows\prefetch\gwx.exe-c082b90d.pf
c:\windows\prefetch\mscorsvw.exe-16b291c4.pf
c:\windows\prefetch\mscorsvw.exe-8ce1a322.pf
c:\windows\prefetch\rapportinjservice_x64.exe-e43b0166.pf
c:\windows\prefetch\rapportservice.exe-41da6e3e.pf
c:\windows\prefetch\searchfilterhost.exe-44162447.pf
c:\windows\prefetch\searchprotocolhost.exe-69c456c3.pf
c:\windows\prefetch\svchost.exe-6a249820.pf
c:\windows\prefetch\svchost.exe-b597a9d1.pf
c:\windows\prefetch\trustedinstaller.exe-766eff52.pf
c:\windows\prefetch\vssvc.exe-6c8f0c66.pf
c:\windows\prefetch\wmpnetwk.exe-f6e20e14.pf
c:\windows\prefetch\wmpnscfg.exe-18fc9e64.pf
c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\crypto\rsa\s-1-5-19\7e22207fe9846926e18c29d3e675240e_5b8d6cfe-1f7c-4832-9d27-5d69acb485c5
c:\windows\serviceprofiles\localservice\appdata\roaming\peernetworking\96a0866568660e488639d42cff3d5f1a\c60ec01d572b2ac71dc31bf07602ac8a\grouping\db.mdb
c:\windows\serviceprofiles\localservice\appdata\roaming\peernetworking\96a0866568660e488639d42cff3d5f1a\c60ec01d572b2ac71dc31bf07602ac8a\grouping\edb.log
c:\windows\serviceprofiles\localservice\appdata\roaming\peernetworking\idstore.sst
c:\windows\serviceprofiles\localservice\appdata\roaming\peernetworking\idstore.sst.new
c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows media player nss\3.0\icon files\c3bfc34f-c025-40b7-9b34-0de0f4209ddc.png
c:\windows\softwaredistribution\authcabs\authcab.cab
c:\windows\softwaredistribution\selfupdate\tmp1edb.tmp
c:\windows\softwaredistribution\selfupdate\wuclient-selfupdate-activex~31bf3856ad364e35~amd64~~7.6.7600.320.mum
c:\windows\softwaredistribution\selfupdate\wuclient-selfupdate-aux-toplevel~31bf3856ad364e35~amd64~~7.6.7600.320.mum
c:\windows\softwaredistribution\selfupdate\wuclient-selfupdate-core-toplevel~31bf3856ad364e35~amd64~~7.6.7600.320.mum
c:\windows\softwaredistribution\selfupdate\wuident.txt
c:\windows\softwaredistribution\selfupdate\wupackages.xml
c:\windows\softwaredistribution\wuredir\7971f918-a847-4430-9279-4a52d1efe18d\tmp4936.tmp
c:\windows\softwaredistribution\wuredir\7971f918-a847-4430-9279-4a52d1efe18d\tmp4a12.tmp
c:\windows\softwaredistribution\wuredir\7971f918-a847-4430-9279-4a52d1efe18d\tmp4a32.tmp
c:\windows\softwaredistribution\wuredir\7971f918-a847-4430-9279-4a52d1efe18d\wuredir.cab
c:\windows\softwaredistribution\wuredir\7971f918-a847-4430-9279-4a52d1efe18d\wuredir.cab.bak
c:\windows\softwaredistribution\wuredir\9482f4b4-e343-43b6-b170-9a65bc822c77\tmp1027.tmp
c:\windows\softwaredistribution\wuredir\9482f4b4-e343-43b6-b170-9a65bc822c77\tmp1085.tmp
c:\windows\softwaredistribution\wuredir\9482f4b4-e343-43b6-b170-9a65bc822c77\tmp11ed.tmp
c:\windows\softwaredistribution\wuredir\9482f4b4-e343-43b6-b170-9a65bc822c77\tmp127a.tmp
c:\windows\softwaredistribution\wuredir\9482f4b4-e343-43b6-b170-9a65bc822c77\tmp12aa.tmp
c:\windows\softwaredistribution\wuredir\9482f4b4-e343-43b6-b170-9a65bc822c77\tmpfea8.tmp
c:\windows\softwaredistribution\wuredir\9482f4b4-e343-43b6-b170-9a65bc822c77\wuredir.cab
c:\windows\softwaredistribution\wuredir\9482f4b4-e343-43b6-b170-9a65bc822c77\wuredir.cab.bak
c:\windows\system32\catroot2\dberr.txt
c:\windows\system32\wdi\bootperformancediagnostics_systemdata.bin
c:\windows\system32\wdi\shutdownperformancediagnostics_systemdata.bin
c:\windows\system32\wdi\86432a0b-3c7d-4ddf-a89c-172faa90485d\s-1-5-21-3021621219-2347566606-1200505006-1001_userdata.bin
c:\windows\system32\wdi\86432a0b-3c7d-4ddf-a89c-172faa90485d\bf468147-38bf-4d5f-8279-1f20d5514553\snapshot.etl
c:\windows\temp\3d26dd97.tmp
c:\windows\temp\5d0239bd.tmp
c:\windows\temp\5fde073a.tmp
c:\windows\temp\8516d4dd.tmp
c:\windows\temp\af72e69c.tmp
c:\windows\temp\e85eaba7.tmp

The following registry entries were deleted:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol
\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System

\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters || DhcpNameServer

wHKCKiYmJ6jQcnIsJiYnx+Bygu5iYnKC7oAuJ8diYnJyDLlCFoop1wfJcuKQLSfHkC4n7nJycuINinKyYmJysqAsJy4mJicO2nKCKCYmJ4igLiepYmJykgprcoJiYnKCsCknJyYmJwescqIpJiYnmsAuJ8diYnJyDI1y0mJictLQKScnJiYnB91ykigmJieJ0C8WLwmPcoJiYnKCcKdyggp3LycnJiYnB4crJ8diYnJyDJcsJy4mJicOly8nJyYmJwenJycOpysZ9jVmLC0Z9jVmLCcZxjVmKwynLSd8YmJywgenLycqJiYnCrcvJ4hiYnKCCMcuJ7hiYnKCC8cvJy8mJicP1yknLCYmJwz3KCeocM9ycmJicnJw/3KyYmJysoCWcuIPaCsnLCYmJwx4JicnJiYnB3gpJ6gAAA
Rules version: 5.0.60
OS: Windows 6.1 Service Pack 1.0 Build: 7601 - Workstation 64bit OS
dll version: 53604


MD5: 77A7519F29E8A4B06FA02F54DE9FE556
C:\Windows\system32\services.exe
MD5:
 



#4 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:03 PM

Posted 03 August 2015 - 04:11 PM

Don't worry it's a false positive. I'm on my phone now,so i will continue tomorrow if you don't mind.

Now run TFC as Administrator : http://www.bleepingcomputer.com/download/tfc/



#5 dgmabee

dgmabee
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 03 August 2015 - 04:26 PM

Is the TFC any different than CCleaner? I run that on a regular basis.



#6 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:03 PM

Posted 03 August 2015 - 04:30 PM

It's more thourugh than CCleaner and cleans infected items in %TEMP% and other folders with temporary files.



#7 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:06:03 PM

Posted 04 August 2015 - 02:33 AM

Just to jump in... CCleaner isn't any different than TFC, so you can use CCleaner instead if you want.

#8 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:03 PM

Posted 04 August 2015 - 02:34 AM

His choice :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users