I’ve run MBAM, SuperAntiSpyware, avast!, and avast! boot scan. Several items showed up which were quarantined, after which I restarted (running XP). This message continues to come up and I cannot figure out what is causing it.
18-Feb 20:33 GMT SpyEye Botnet C&C server @213.155.4.32
Has not been removed yet, C & C server in Ukraina for a bot (known as SpyEye), which has properties similar to Zeus Bot,
I needed to do some on-line banking. When I signed into the banking website, a screen came up headlined by “Security Alert”, with entries asking for account number, password, mother’s maiden name, etc. I quickly closed the internet webpage, then went to my wife’s computer, accessed the banking webpage and changed my user name and password.
I alos have seen the original “Threat Detected” message when I’ve just been using e-mail, not even in IE. I looked into the TFC - Temp File Cleaner by OldTimer
suggestion but was scared off by some of the user comments about running the program - such as losing all of their My Documents files.
After this run the CCleaner (freeware) installer by downloading from here http://www.filehippo.com/download_ccleaner/download/1d59b13e3d0824a0c054077615cab5c3/
, and uncheck the option to install Yahoo toolbar (unless you want Yahoo toolbar).
Once installed, run the CCleaner by clicking its icon on your Desktop or “Start” => “All programs” => “CCleaner”.
The following should be selected by default, if not, please select: see attached GIF
Then please click options and choose advanced
Please uncheck Only delete files in Windows Temp older than 48 hrs
Then go back to Run Cleaner and click to run it.
After the virus and Trojans are removed, the registry is still destroyed or modified, so the computer still has problems. That’s why you need to repair the registry. Use this program download from here: http://www.regsofts.com/download/RegpairSetup.exe
I alos have seen the original "Threat Detected" message when I've just been using e-mail, not even in IE. I looked into the TFC - Temp File Cleaner by OldTimer
suggestion but was scared off by some of the user comments about running the program - such as losing all of their My Documents files.
'
The newest post there is from june 2009, so all bugs should be fixed......
The problems with TFC were user induced by placing important data in temporary files or the recycle bin for safekeeping !
There are currently no known problems with TFC
EDIT : Check your proxy settings
Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer
And for Firefox there are instructions on this page and you want the setting to be no proxy
I did check my Internet Explorer proxy settings and the Proxy Server box was checked. I unchecked it and restarted my system. However, the problem still exists.
The situation has changed relative to when the “Malicious URL Blocked” message comes up. I do not have to be in IE or e-mail. It comes up even if I have no programs active other than what normally runs in the background.
Unless someone suggesta anything different, I’m going to rerun MBAM, then TFC, then CCleaner. I assume there is a rogue program running that must be started by my startup procedure but I don’t know how to track that down.
At least it doesn’t appear that anything critical is going on. I can still use all my programs and avast! still is catchng any attempt to get to the malicious url.
Also, i tried yesterday to do a system restore but was unsuccessful.
Download OTS to your Desktop and double-click on it to run it
[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following Reg - NetSvcs
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
File - Purity Scan
[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.
He needs to (and I have told him to report this in this topic) as there is still something else going on as is apparent from another of his topic, http://forum.avast.com/index.php?topic=71728.0.
Which according to this it isn’t taken care of as it keeps being restored in startup.
Sorry for the delay - here is the OTS log I ran yesterday afternoon.
I also used CCleaner to look into the System Configuration Utility Startup. It says that aqapadewiyohu.dll executes a program called Idefatiwojiliquw which a search on my computer cannot find. I tried to disable the entry vis CCleaner and it comes right back again.
Give this a whirl, and once it has run update and run MBAM again please - posting the resultant log
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Modules - Safe List]
YY -> aqapadewiyohu.dll -> C:\WINDOWS\aqapadewiyohu.dll
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3566469885-1729203438-2106367328-1005\] > -> HKEY_USERS\S-1-5-21-3566469885-1729203438-2106367328-1005\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Idefatiwojiliquw" -> C:\WINDOWS\aqapadewiyohu.dll [rundll32.exe "C:\WINDOWS\aqapadewiyohu.dll",Startup]
< Run [HKEY_USERS\S-1-5-21-3566469885-1729203438-2106367328-1005\] > -> HKEY_USERS\S-1-5-21-3566469885-1729203438-2106367328-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "821hbfs.Bin.exe" -> [C:\821hbfs.Bin\821hbfs.Bin.exe]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Value error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Value error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-3566469885-1729203438-2106367328-1005\] > -> HKEY_USERS\S-1-5-21-3566469885-1729203438-2106367328-1005\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Value error.]
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-3566469885-1729203438-2106367328-1005\] > -> HKEY_USERS\S-1-5-21-3566469885-1729203438-2106367328-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> mcafee.com .[http] -> Trusted sites
YN -> mcafee.com .[https] -> Trusted sites
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} [HKLM] -> http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab [Reg Error: Key error.]
YN -> {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} [HKLM] -> http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5236/mcfscan.cab [Reg Error: Key error.]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{77b197fd-48cb-11db-a4ac-000fb5ce3a21}\Shell\AutoRun\command ->
YN -> \{77b197fd-48cb-11db-a4ac-000fb5ce3a21}\Shell\AutoRun\command\\"" -> [F:\BOOTEX\thumbcache_131.exe]
YN -> \{77b197fd-48cb-11db-a4ac-000fb5ce3a21} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{77b197fd-48cb-11db-a4ac-000fb5ce3a21}\Shell\explore\command ->
YN -> \{77b197fd-48cb-11db-a4ac-000fb5ce3a21}\Shell\explore\command\\"" -> [F:\BOOTEX/thumbcache_131.exe]
YN -> \{77b197fd-48cb-11db-a4ac-000fb5ce3a21} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{77b197fd-48cb-11db-a4ac-000fb5ce3a21}\Shell\open\command ->
YN -> \{77b197fd-48cb-11db-a4ac-000fb5ce3a21}\Shell\open\command\\"" -> [F:\.////BOOTEX/thumbcache_131.exe]
[Files/Folders - Modified Within 30 Days]
NY -> Ygavazayujup.dat -> C:\WINDOWS\Ygavazayujup.dat
NY -> Iyehuvubovis.bin -> C:\WINDOWS\Iyehuvubovis.bin
NY -> 8536.84E -> C:\Documents and Settings\Glenn Peterson\Application Data\8536.84E
NY -> kuhzmn.dat -> C:\Documents and Settings\Glenn Peterson\Application Data\kuhzmn.dat
[Files - No Company Name]
NY -> 8536.84E -> C:\Documents and Settings\Glenn Peterson\Application Data\8536.84E
NY -> Ygavazayujup.dat -> C:\WINDOWS\Ygavazayujup.dat
NY -> Iyehuvubovis.bin -> C:\WINDOWS\Iyehuvubovis.bin
NY -> kuhzmn.dat -> C:\Documents and Settings\Glenn Peterson\Application Data\kuhzmn.dat
NY -> aqapadewiyohu.dll -> C:\WINDOWS\aqapadewiyohu.dll
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[Reboot]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
OTS hung with its’ window frozen and the rest of the desktop was blank. I used the Window Task Manager to execute explorer to get my desktop back, then answered yes to complete deleting of files, it then did a system restart. The log is attached…