I am trying to help a friend sort their PC out - it appears they have had no AV in place for some time, and after running Malwarebytes (which found 32 infected files/folders/registry keys), I installed Avast (free) and ran a full scan. It found 2 files, which it has moved to chest, but now I keep seeing MALICIOUS URL BLOCKED warnings, where the details are:
Object: 199.80.55.19/go.php?uid4714…
Infection: URL:Mal
Action: Blocked
Process: C:\Windows\system32\svchost.exe
I’m also seeing MALWARE BLOCKED warnings, where the system shield has blocked the threat. Details are:
Object: C:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\temporary internet files\content.IE5\L5IT1RBQ\ha81naoo0o0_com[1].htm
Infection: HTML:Iframe-inf
Action: Moved to chest
Process: C:\Windows\system32\svchost.exe
I’m also seeing the option to report the latter item as a false positive, but haven’t done so due to the former warning.
The object details differ each time, but I think they all stem from the same locations. Can anyone please tell me how to deal with these problems?
Download OTS to your Desktop and double-click on it to run it
[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.
Aye it will not work in the sandbox - let me know if this kills it
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Win32 Services - Safe List]
YN -> (srvBF4) srvBF4 [Auto | Stopped] ->
YN -> (McSysmon) McAfee SystemGuards [Auto | Stopped] ->
YN -> (McShield) McAfee Real-time Scanner [Unknown | Stopped] ->
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-2265180834-3589896195-1863088483-1000\] > ->
YN -> HKEY_USERS\S-1-5-21-2265180834-3589896195-1863088483-1000\: URLSearchHooks\\"{D3D233D5-9F6D-436C-B6C7-E63F77503B30}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{4B3803EA-5230-4DC3-A7FC-33638F3D3542}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D7E97865-918F-41E4-9CD0-25AB1C574CE8}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{4B3803EA-5230-4DC3-A7FC-33638F3D3542}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D7E97865-918F-41E4-9CD0-25AB1C574CE8}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2265180834-3589896195-1863088483-1000\] > -> HKEY_USERS\S-1-5-21-2265180834-3589896195-1863088483-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{4B3803EA-5230-4DC3-A7FC-33638F3D3542}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D7E97865-918F-41E4-9CD0-25AB1C574CE8}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Menu Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\
YN -> Crawler Search -> [tbr:iemenu]
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\
YN -> Crawler Search -> [tbr:iemenu]
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Hi
It’s running as I type, though i forgot to close the IE session down that i copied the fix from - the progress bar in the middle is progressing time after time, and all that is left in the Fix box is
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
Is this because IE is open? I’ve also had 6 more warnings whilst this was running…
[EDIT]I did ALT+F4 and closed the IE session, though it’s still running[/EDIT]
Thanks
Martin
Many many thanks for your help.
I’ve got some other questions but will come back and ask those another day - been at the PC all day and think I need a drink!
Thanks again
Martin
It’s back!
I got a critical error telling me it had found a rootkit, then I got 6 warnings as before.
Shall I re-run OST with the same settings, or sort out the rootkit issue first?
I have a feeling I might just do a restore back from the recovery partition and start fresh as am also having other issues with windows update since installing SP1 for vista.
[EDIT]
I rand Kasperky’s TDSS Killer and that has resolved the rootkit and it also seems to have resolved the windows update issues I was having. I’ll leave it running over the next 24 hours and see if i get any more warnings, and will report back either way.
[/EDIT]
TDDSKiller is a great rootkit remove. Fast and effective. Hitman Pro is also great at removing rootkits. Gmer is another rootkit remover. OTS is good but involves too much user interaction. One of the easiest ways to spot a rootkit is by opening up task manager when not using your browser and seeing if “iexplorer.exe” is running. If it is then thats a tell tale sign that a rootkit is calling home.
Download OTS to your Desktop and double-click on it to run it
[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.