Another 64.111.211.158 infection...

Seems to be a common problem here at the minute… Got infected earlier with Win32:Dropper-gen Avast managed to remove some, after that I managed to kill some of the processes it had running still and delete those but I still keep getting warnings about me trying to access 64.111.211.158 and other redirects when clicking google results :frowning:

Here is my log from OTS. ANY help is appreciated, essexboy’s mostly :stuck_out_tongue:

Hey there,you may have been infected by TDSS variant(s).
Please Download aswMBR from here http://public.avast.com/~gmerek/aswMBR.htm
1)Double click the aswMBR.exe to run it
2)Click the [Scan] button to start scan
3)On completion of the scan click [Save log], save it to your desktop and post in your next reply

Make sure to post your log.

If this doesn’t help,i will pm Essexboy to help you,so don’t worry ;D.

Regards

As requested, please find the log attached.

These drivers may have been corrupted:
11:49:37.752 File: C:\Windows\System32\drivers\en-US\bfe.dll.mui SUSPICIOUS
11:49:39.688 File: C:\Windows\System32\drivers\en-US\ndiscap.sys.mui SUSPICIOUS
11:49:40.072 File: C:\Windows\System32\drivers\en-US\pacer.sys.mui SUSPICIOUS
11:49:40.581 File: C:\Windows\System32\drivers\en-US\qwavedrv.sys.mui SUSPICIOUS
11:49:40.886 File: C:\Windows\System32\drivers\en-US\scfilter.sys.mui SUSPICIOUS
11:49:41.293 File: C:\Windows\System32\drivers\en-US\tcpip.sys.mui SUSPICIOUS
11:50:01.754 File: C:\Windows\System32\drivers\wimmount.sys SUSPICIOUS

Would you mind to wait for Essexboy as i am not familiriazed with OTS?

Of course not, thanks for taking a look.

@ adamparker87
There appears to be some issues with the aswMBR scan and these .mui files being considered suspicious, essexboy has reported it as a probable false positive.

I also suspect it is a false positive and my guess would be the double file extension used on these files, e.g. .sys.mui This old double file extensions tactic used to be used back in the old days as a crude attempt to disguise the type of file it actually was. So the suspicious tag could be a simple as that, but I can’t say for certain.

This SUSPICIOUS File: C:\Windows\System32\drivers\wimmount.sys has been uploaded to a multi engine virus scanning site but that didn’t return any hits.

So for the moment don’t take any action with aswMBR or on these SUSPICIOUS files as it could harm your system.

I see from the aswMBR report you have a Sony Vaio laptop ?

If correct it is possible that it has a means of restoring the system back to when you received it from the factory (recovery partition and console, etc.). This could account for the Unknown MBR code, as it could be a custom MBR to enable access to this recovery partition.

So it will require analysis from a qualified malware removal specialist.

Yeah, that’s correct.

That may well account for the unknown MBR code and that the redirections are coming from another area, that will need to be analysed from the OTS report you attached.

I have contacted essexboy, but he will still be at work now (3pm UK time), he should on the forums around 7/8pm. Hopefully he will be able to analyse it then, as you can imaging he is quite busy. That was before this rash of 64.111.211.158 redirections and they are using different tactics to evade detection and removal.

Yeah I saw last night how demanded essexboy’s skills are, he should open a donation page on paypal or something!

Well essexboy also assists on the geekstogo.com site where he is also one of the Instructors training new malware removal specialists. Since their forum is non-aligned to a particular product/company there may well be a donation link there.

But obviously essexboy as an avast user doesn’t do that in these forums, but he provides an invaluable specialist service here (along with a few select others). I don’t include myself in that number as I am no malware removal specialist, I know enough to know when to call others for help ;D

Hi dere - OK you can ignore the suspicious as I feel Avast is locking on the double extension with the heuristics

OK could you reattach the OTS log please but first saving the log as ANSI - then I can read it

http://i1224.photobucket.com/albums/ee362/Essexboy3/Untitled.gif

Saved as ANSI…

On completion of this let me know if the alerts persist

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY ->  {22116563-108C-42c0-A7CE-60161B75E508}.job -> C:\Windows\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
NY ->  {810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job -> C:\Windows\tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
NY ->  dbfydp.job -> C:\Windows\tasks\dbfydp.job
NY ->  {BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job -> C:\Windows\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
[Files - No Company Name]
NY ->  {BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job -> C:\Windows\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
NY ->  {22116563-108C-42c0-A7CE-60161B75E508}.job -> C:\Windows\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
NY ->  {810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job -> C:\Windows\tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
NY ->  dbfydp.job -> C:\Windows\tasks\dbfydp.job
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Hi essexboy, thanks for joining us.

Noticing the heavy increase in these 64.111.211.158 redirections, now it appears that they are also using the windows tasks and creation of jobs. Would this be a pre-emptive measure (whilst waiting for specialist help) to check for the presence of any scheduled tasks in the windows task scheduler ?

Or are they not that frequently used ?

That is one sneaky hijack area so it would be well worth checking the task folder and deleting any jobs that are not recognised

Thanks for the help, I’ve attached the generated txt file of the results.

So far so good, it’s only been 10 minutes but I would of had a notification by now.

A quick check for orphans ;D

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Thanks, will bear that in mind.

Malwarebytes’ Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7075

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

11/07/2011 20:48:28
mbam-log-2011-07-11 (20-48-28).txt

Scan type: Quick scan
Objects scanned: 164751
Time elapsed: 2 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\B7GGEY1ZRR (Trojan.FakeAlert.SA) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Let me know tomorrow if you are happy and I will remove my tools ;D