Hi, I was on a Doctor Who fan site when I caught Vista Total Security. I was able to unistall it.However, now avast! alerts me to a threat being blocked. Now every time search in any browser besides avg it pops up. I’ve scanned my laptop w/ Super AntiSpyware, MBAM, Avast, and Spybot Search & Destroy and turned up nothing. It’s something to do with URLs. Sorry I am woefully ignorant of computers and can’t give a better description. Can anyone help me?
the malware may have changed the windows settings to use a proxy server
http://www.bleepingcomputer.com/virus-removal/remove-ms-removal-tool
look in this removal guide (not for the rogue you have ) and see step 4-5-6-7 for how to fix it
Tell us if it worked…
Thank you for the advice, but no: avast! Network Shield has bloked a harmful site, is still appearing when I search in my browser. It reads as follows: Object: pubyhixasuhu.com/8bH3p-qx96fxtfak+9eWxJ-TmMiR
Infection: URL:Mal Action: Blocked Process: c:\Program Files\Internet Explorer\iexplore.exe
Hi there lets go hunting ;D
Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrscan.gif
Click the “Scan” button to start scan
http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrsavelog.gif
On completion of the scan click save log, save it to your desktop and post in your next reply
THEN
Download OTS to your Desktop and double-click on it to run it
[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT
[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.
Hi,
I got the same thing going on the same Dr Who website (I guess). The same avast alert pops up every time I open firefox. I couldn’t have access to internet with neither Firefox nor Explorer (proxy issue). I ran Malwarebytes and Combofix. Malware fixed several infected files but that wasn’t enough, Combofix did clear things up, now I can use Explorer but not Firefox.
When I looked at the Malware log results, it seemed like the malware installed itself into the browser. My guess is the fake avast alert has nothing to do with avast, it comes from the infected browser. I’m gonna try to uninstall firefox and reinstall the latest version.
Hi,
Problem solved! Uninstalling and reinstalling latest version of Firefox did fix the problem, so it certainly was a malware installed in the browser. But I suggest you run Combofix first for a 100% cleanup.
Hi:
I have had the same problem as the above user with this malware pubyhixashuhu.com: i ran the above logs ost.txt and aswmbr. here are the results: PLEASE HELP!! Getting frustrated with this
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-10 16:00:39
16:00:39.437 OS Version: Windows 5.1.2600 Service Pack 3
16:00:39.437 Number of processors: 2 586 0x602
16:00:39.437 ComputerName: HOOSBOMB UserName: Peter
16:00:40.109 Initialize success
16:00:56.359 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Scsi\nvgts1Port2Path0Target0Lun0
16:00:56.359 Disk 0 Vendor: ST316002 8.12 Size: 152587MB BusType: 3
16:00:56.375 Disk 0 MBR read successfully
16:00:56.375 Disk 0 MBR scan
16:00:56.375 Disk 0 Windows XP default MBR code
16:00:56.375 Disk 0 scanning sectors +268414020
16:00:56.390 Disk 0 scanning C:\WINDOWS\system32\drivers
16:00:59.906 Service scanning
16:01:00.656 Disk 0 trace - called modules:
16:01:00.671 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll SCSIPORT.SYS nvgts.sys
16:01:00.671 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x89bff030]
16:01:00.671 3 CLASSPNP.SYS[b80e8fd7] → nt!IofCallDriver → \Device\00000060[0x89b9b030]
16:01:00.671 5 ACPI.sys[b7f7f620] → nt!IofCallDriver → \Device\Scsi\nvgts1Port2Path0Target0Lun0[0x89bfe030]
16:01:00.671 Scan finished successfully
16:01:39.203 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Peter\Desktop\MBR.dat”
16:01:39.203 The log file has been saved successfully to “C:\Documents and Settings\Peter\Desktop\aswMBR.txt”
attached is ots. log
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {9D425283-D487-4337-BAB6-AB8354A81457} [HKLM] -> C:\Program Files\Search Toolbar\SearchToolbar.dll [Search Toolbar]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YY -> "{9D425283-D487-4337-BAB6-AB8354A81457}" [HKLM] -> C:\Program Files\Search Toolbar\SearchToolbar.dll [Search Toolbar]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-299502267-507921405-725345543-1003\] > -> HKEY_USERS\S-1-5-21-299502267-507921405-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\
YY -> WebBrowser\\"{9D425283-D487-4337-BAB6-AB8354A81457}" [HKLM] -> C:\Program Files\Search Toolbar\SearchToolbar.dll [Search Toolbar]
[Files/Folders - Created Within 30 Days]
NY -> qmgb0.dll -> C:\WINDOWS\System32\qmgb0.dll
[Files/Folders - Modified Within 30 Days]
NY -> bn5b6b462h21s58w -> C:\Documents and Settings\Peter\Local Settings\Application Data\bn5b6b462h21s58w
NY -> bn5b6b462h21s58w -> C:\Documents and Settings\All Users\Application Data\bn5b6b462h21s58w
NY -> qmgb0.dll -> C:\WINDOWS\System32\qmgb0.dll
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
All Processes Killed
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{9D425283-D487-4337-BAB6-AB8354A81457}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{9D425283-D487-4337-BAB6-AB8354A81457}\ deleted successfully.
C:\Program Files\Search Toolbar\SearchToolbar.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\{9D425283-D487-4337-BAB6-AB8354A81457} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{9D425283-D487-4337-BAB6-AB8354A81457}\ not found.
File C:\Program Files\Search Toolbar\SearchToolbar.dll not found.
Registry value HKEY_USERS\S-1-5-21-299502267-507921405-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{9D425283-D487-4337-BAB6-AB8354A81457} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{9D425283-D487-4337-BAB6-AB8354A81457}\ not found.
File C:\Program Files\Search Toolbar\SearchToolbar.dll not found.
[Files/Folders - Created Within 30 Days]
LoadLibrary failed for C:\WINDOWS\System32\qmgb0.dll
C:\WINDOWS\System32\qmgb0.dll moved successfully.
[Files/Folders - Modified Within 30 Days]
C:\Documents and Settings\Peter\Local Settings\Application Data\bn5b6b462h21s58w moved successfully.
C:\Documents and Settings\All Users\Application Data\bn5b6b462h21s58w moved successfully.
File C:\WINDOWS\System32\qmgb0.dll not found!
[Empty Temp Folders]
2nd part:
User: Administrator
->Temp folder emptied: 97 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: Peter
->Temp folder emptied: 240833434 bytes
->Temporary Internet Files folder emptied: 70995026 bytes
->Java cache emptied: 4525045 bytes
->FireFox cache emptied: 46877054 bytes
->Flash cache emptied: 397755 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1138618 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4711718 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 12902330 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 365.00 mb
[EMPTYFLASH]
User: Administrator
User: All Users
User: Default User
User: LocalService
User: NetworkService
User: Peter
->Flash cache emptied: 0 bytes
Total Flash Files Cleaned = 0.00 mb
Restore point Set: OTS Restore Point (68719476736)
< End of fix log >
OTS by OldTimer - Version 3.1.42.0 fix logfile created on 05112011_020054
Files\Folders moved on Reboot…
File\Folder C:\Documents and Settings\Peter\Local Settings\Temp\Temporary Internet Files\Content.IE5\O9E3ODUN%2CREC%2CRS%2CRS2&en=CP1252&npv=1&indirect=MNW&rn=1305057970578&em=%7B%22site-attribute%22%3A%20%22content%3Dno_expandable%3Bajax_cert_expandable%3B%22%7D&tgt=blank&vw=getMessages not found!
File\Folder C:\Documents and Settings\Peter\Local Settings\Temp\Temporary Internet Files\Content.IE5\O9E3ODUN\spyware;net=ns;u=,ns-96750078_1305057503,11fff3ef43001e4,Miscellaneous,;;ppos=btf;kw=;tile=2;cmw=owl;sz=300x250,336x280;net=ns;ord1=96639;contx=Miscellaneous;dc=w;btg=;ord=[2] not found!
File\Folder C:\Documents and Settings\Peter\Local Settings\Temp\Temporary Internet Files\Content.IE5\CTUF0TIF\CALGPC11.httpucsqueryyahoocomv1consoleyqlqselect2020from20ucsuser_notif_status20where20guid203D20226Q3WDAGJZ5AIRIJINCIZ3LOKHE223Bformatjsoncrumb7XoDUnLXTNE_menuctrl_callback not found!
File move failed. C:\WINDOWS\temp_avast5\Webshlock.txt scheduled to be moved on reboot.
Registry entries deleted on Reboot…
What are your current problems ?
http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.
Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.