Malware warning/being redirected

system · August 18, 2011, 8:15pm

so yea, seems this is happening to a lot of people. Im getting popups telling me my browser is trying to connect to a blocked site and im getting redirected to sites during searches.
I also noticed that it will try to connect to these sites with both IE and firefox…

followed the stickys instructions with no luck.

files attached below

Thanks for any help

and heres the mbam copy/paste

"
Malwarebytes’ Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7501

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/18/2011 12:00:55 PM
mbam-log-2011-08-18 (12-00-55).txt

Scan type: Quick scan
Objects scanned: 151573
Time elapsed: 29 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\mike\local settings\Temp\0.23859112580936281.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.

"

essexboy · August 18, 2011, 8:36pm

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

system · August 18, 2011, 9:10pm

wow you guys are fast!

heres the results

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-18 13:44:58

13:44:58.921 OS Version: Windows 5.1.2600 Service Pack 3
13:44:58.921 Number of processors: 2 586 0xF06
13:44:58.921 ComputerName: MIKE-1821C9AEAF UserName: mike
13:45:00.062 Initialize success
13:45:00.750 AVAST engine defs: 11081800
13:45:08.515 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
13:45:08.515 Disk 0 Vendor: ST325082 3.AD Size: 238418MB BusType: 3
13:45:08.531 Disk 0 MBR read successfully
13:45:08.531 Disk 0 MBR scan
13:45:08.531 Disk 0 MBR:Alureon-I [Rtk]
13:45:08.531 Disk 0 TDL4@MBR code has been found
13:45:08.531 Disk 0 Windows XP default MBR code found via API
13:45:08.531 Disk 0 MBR hidden
13:45:08.531 Disk 0 MBR [TDL4] ROOTKIT
13:45:08.531 Disk 0 trace - called modules:
13:45:08.531 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a338f16]<<
13:45:08.531 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8ac78030]
13:45:08.531 3 CLASSPNP.SYS[b80f8fd7] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x8ac7a030]
13:45:08.546 \Driver\iastor[0x8ac38030] → IRP_MJ_INTERNAL_DEVICE_CONTROL → 0x8a338f16
13:45:09.140 AVAST engine scan C:\WINDOWS
13:45:18.187 AVAST engine scan C:\WINDOWS\system32
13:46:33.546 AVAST engine scan C:\WINDOWS\system32\drivers
13:46:48.671 AVAST engine scan C:\Documents and Settings\mike
14:03:52.625 AVAST engine scan C:\Documents and Settings\All Users
14:04:42.015 Scan finished successfully
14:07:30.015 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\mike\Desktop\MBR.dat”
14:07:30.015 The log file has been saved successfully to “C:\Documents and Settings\mike\Desktop\aswMBR.txt”

essexboy · August 18, 2011, 9:17pm

Re-Run aswMBR

Click Scan

On completion of the scan
Click the Fix Button

http://public.avast.com/~gmerek/aswMBR3.png

Save the log as before and post in your next reply

DavidR · August 18, 2011, 9:21pm

If essexboy doesn’t get back shortly (his time on the forums is limited), I will advise on the next step.

Never mind here he is ;D

system · August 18, 2011, 10:02pm

question

I get a popup saying it will restart my computer after I hit yes… If I do that how do I save the log? (sorry if this is obvious)

Pondus · August 18, 2011, 10:07pm

after the reboot you do a new scan, then save log and post… and that log should show clean…if lucky

system · August 18, 2011, 10:09pm

thank you. I’m out of my depth on this stuff but man, this forum is fast and helpful!

system · August 18, 2011, 10:48pm

here it is

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-18 15:25:57

15:25:57.156 OS Version: Windows 5.1.2600 Service Pack 3
15:25:57.156 Number of processors: 2 586 0xF06
15:25:57.156 ComputerName: MIKE-1821C9AEAF UserName: mike
15:25:58.312 Initialize success
15:25:58.515 AVAST engine defs: 11081800
15:26:01.109 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
15:26:01.109 Disk 0 Vendor: ST325082 3.AD Size: 238418MB BusType: 3
15:26:01.125 Disk 0 MBR read successfully
15:26:01.125 Disk 0 MBR scan
15:26:01.125 Disk 0 MBR:Alureon-I [Rtk]
15:26:01.125 Disk 0 TDL4@MBR code has been found
15:26:01.125 Disk 0 Windows XP default MBR code found via API
15:26:01.125 Disk 0 MBR hidden
15:26:01.125 Disk 0 MBR [TDL4] ROOTKIT
15:26:01.125 Disk 0 trace - called modules:
15:26:01.125 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a335f16]<<
15:26:01.125 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8ac74030]
15:26:01.125 3 CLASSPNP.SYS[b80e8fd7] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x8ac8a030]
15:26:01.125 \Driver\iastor[0x8ac40630] → IRP_MJ_INTERNAL_DEVICE_CONTROL → 0x8a335f16
15:26:01.609 AVAST engine scan C:\WINDOWS
15:26:27.484 AVAST engine scan C:\WINDOWS\system32
15:27:41.765 AVAST engine scan C:\WINDOWS\system32\drivers
15:27:51.734 AVAST engine scan C:\Documents and Settings\mike
15:46:16.578 AVAST engine scan C:\Documents and Settings\All Users
15:47:08.156 Scan finished successfully
15:47:47.171 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\mike\My Documents\kotor editor\MBR.dat”
15:47:47.171 The log file has been saved successfully to “C:\Documents and Settings\mike\My Documents\kotor editor\aswMBR.txt”

whats next?

DavidR · August 18, 2011, 10:53pm

Unfortunately it is still there.

Was that reboot pop-up after A) running the scan and B) after clicking the Fix button ?

system · August 18, 2011, 10:57pm

DavidR · August 18, 2011, 11:03pm

It could be a new variant, but essexboy would need to check that out.

I can put you on to a possible next step, but essexboy will be tucked up in bed now after Midnight here in the UK.

essexboy:

Second opinion now

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

system · August 18, 2011, 11:26pm

thank you, I do believe the TDSS thing killed it!

DavidR · August 18, 2011, 11:45pm

You’re welcome.

Did it create a log, if so please attach it using the Additional Options in the Reply when you post.

essexboy · August 19, 2011, 7:15pm

Yes please to the log

Malware warning/being redirected

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software Run date: 2011-08-18 13:44:58

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software Run date: 2011-08-18 15:25:57

Announcements

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-18 13:44:58

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-18 15:25:57