Two days ago, I started getting warnings from Avast when I clicked on sites I regularly visit (including my blog) that an infected site had been successfully blocked. When I clicked on the ‘Details’ link, there was reference to dust-cat.com robots.txt. On googling for that, I was automatically directed to a MS page on ‘deceptive viruses’.

I did everything suggested on the MS page, could not identify any programs that I did not recognise, ran Avast, Superantispyware and Malwarebytes, and no infections were detected.

For a while, all seemed ok, then yesterday I again started receiving the same warnings from Avast re malicious malware being present on my blog and other familiar sites, along with the dust.cat reference - with some variations, but always including ‘dust-cat’. Again, clicking on URLs brought up in Google redirected to unrelated sites. Copying and pasting the URLs directly into the browser seemed to be an effective workaround. At first I thought this redirect stuff was only happening with FF, but IE9 started behaving similarly as I began using it more.

I asked my web host to check my blog for viruses, and they replied that nothing was evident, and that they were not experiencing anything abnormal when accessing the site through Google. I concluded that the issue, whatever it is, is local to my computer.

One further thing that may be significant. When this first started happening, I could not bring up my blog page or the other URLs that were supposedly infected. Instead, I’d be redirected to other pages that I didn’t take note of, but some seemed to be advertising URLs and others were apparently random legit sites, including some mainstream newspaper sites I regularly peruse.

Fearing a rootkit, Last night I ran TDSSKiller and Hitman Pro - again, no infections picked up.

Today, so far, none of the problems are present.

Anyone able to shed some light on what has been happening, please?

Cheers
Ross

Hi Rossb and welcome.
If you would provide further details/info. on what OS you are using, version etc. What version and product of Avast are you using? And any other security related programs installed on your system.
THis information may help the many qualfied evangelists who have direct experience with Website issues and security
THanks.

Also, you may want to “Hide your email from the Public” Spammers have been known to harvesr visible email addresses :-
Go to your profile and under ‘Account Related Settings’ make sure the box with "Hide my email from the public is CHECKED.

Thanks for the welcome and tips, schmidthouse. Have now done as you suggested re my email address.

My specs are as follows:
OS Win 7 Home Premium SP1 (64 bit)
Avast 6.0.1367 (virus definitions etc updated)
Intel(R) Core™ i5 2400 CPU @ 3.10GHz
RAM 4Gb
Security-related programs currently installed:
Avast, Windows Malicious Software Removal Tool, Windows Defender (not active), Superantispyware, Malbytes Antimalware, TDSSKiller and Hitman Pro 3.5 (ran once, not installed)

Using current versions of FF(9.0.1) and IE9.

Hope that’s all that is required.

Cheers!
Ross

follow the guide and attach all the logs…link below:

http://forum.avast.com/index.php?topic=53253.0

Our malware removal expert essexboy will be here to help u by night according to UK time.

Essexboy notified…

Thanks, true indian!

There seems to be a limit of 4 attachments uploadable in the same post. Here’s the final one.

Thank you for posting the logs rossb. You do have some problems that Essexboy will instruct you further in resolving your problems.

Please do not make any further changes to your machine at this time. Thank you.

Hi there is one anomolous file to remove. On completion let me know if you still get the alerts

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL [2012/01/14 16:51:19 | 000,118,784 | RHS- | M] () -- C:\Users\R&J\AppData\Roaming\kmddspw.dll

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

Thanks very much, essexboy (and thanks also to you, safesurf, for your earlier response).

I ran OTL again after clicking the ‘Run Fix’ button with your code pasted in, but I might have done the wrong thing with the subsequent OTL scan. I assumed you meant to run the OTL scan according to the same directions as the first time (ie: as per this link: http://forum.avast.com/index.php?topic=53253.0).

Anyway, hoping to cover all bases, I’ve run a second scan without any code in the Custom Scan Box - now also attached with the log from the first scan.

Cheers!
Ross

Update: the problems have returned. ie: automatically re-directed from URLs brought up with google, and false malicious malware warnings from Avast for multiple sites, including big mainstream news sites I peruse regularly (ie: most unlikely they are all actually infected).

And again, an effective workaround is to copy and paste URL addresses directly into browser rather than clicking on URL links brought up by Google.

Of course, this is all very irritating, but my biggest concern is the possibility of being open to identity and password ripoff in the event that whatever has happened to cause this havoc has also resulted in my computer being left open to hackers.

Should I stay offline, logging on only to check this forum for further directions?

Also, is it likely that my backup Seagate HD has also been infected with whatever had gotten into the computer hard drive? (I have the Seagate set to back up daily, so it would have done so over the last few days when these redirect and false Avast warnings problems have been evident).

Does this occur in all browsers or just Firefox ?

Is it only firefox ?

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1
Download Mirror #2

[*]Ensure all Firefox windows are closed.
[*]To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
[*]When prompted to run the scan, click Yes.
[*]GooredFix will check for infections, and then a log will appear.

Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Thanks for your continued attention, essexboy. I must say, this is a terrific forum. Dunno where I’d be without it - probably looking up how to reformat my HD.

The malfunctions as described happened in both IE9 and FF before. Subsequent to my following your directions re removing the anomalous file, I have only used FF. I’ll change to IE now and see what happens.

Have followed your GooredFix directions - log attached.

Cheers
Ross
Update: Have been getting redirects to unwanted sites in IE - this is since running GooredFix, so the problems are still present, and affecting both FF and IE.

OK time to look deeper

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Indebted to you, essexboy. Most appreciative of your assistance.

Have run Combofix as directed. Log attached.

Have only just finished Combofix scan, so don’t know how browsers are behaving as yet.

Cheers
Ross

Methinks that it may be dead now

Wow6432Node-HKCU-Run-opqn - c:\users\R&J\AppData\Roaming\kmddspw.dll- deleted

Could you check the browsers out please

So far, so good today, essexboy. Only used FF so far, but all appears to be functioning normally.

May I ask for your diagnosis? What exactly was the problem? Was it a rootkit virus, or something like that? Is it well known, and does it have a name?

Also, is it possible that my backup hard drive - a 500Gb Seagate Freeagent desktop - could be infected and could therefore reinfect my computer HD? I was backing up to the Seagate daily during the period when the virus, or whatever it was, was active.

Cheers and thanks sincerely for your invaluable help.
Ross

It was a minor variant of zero access that had not fully installed

Give the backup drive a good scan with Avast before you use it

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

.
Remove ComboFix

[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall (Notice the space between the “x” and “/”) then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[]A message should appear confirming that ComboFix was uninstalled

.
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
.
Upgrading Java:

[] Go to this site and click Do I have Java
[] It will check your current version and then offer to update to the latest version

.
SPRING CLEAN
.
To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup and select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe

Great news that all appears clear now, essexboy. THANK YOU.

I’ve used FF all day without a problem, and tomorrow (1.20am here at the moment) I’ll switch to IE. Will report back around this time tomorrow to confirm (hopefully) no further issues.

Will also work through the cleanup as directed, begin the regime of ‘housekeeping’ you recommend, and read the article linked to. The positive in all this is to now have a better regime to stick to in order to minimise chances of infection in future. I thought I was doing all the right things with Avast, Malwarebytes and Superantispyware, but obviously not - and I confess, I was not using all programs as regularly as I should have been. I feel I got off lightly, considering.

At the risk of sounding like a parrot, I am most appreciative of all your assistance and advice.

Cheers
Ross

My pleasure ;D

Hi again, essexboy.

I’m pleased to report that all is humming along now, without problems.

I’ve done everything as you set out in your ‘cleanup’ recommendations, and have also read and acted upon the recommendations in the 'How Did I Get Infected In The First Place" guide - really excellent. I now have a housekeeping regime to stick to from here on.

Ran an Avast scan on my Seagate HD - nothing nasty detected. So, all in all, happy camping over this way.

I have a review blog (mostly movies). Would you mind if I wrote up my experience on this forum for the benefit of others who might have the misfortune to cop the zero access virus (or other invaders, for that matter)? I can’t imagine a better place to seek out in the event of computer infection. This forum, and particularly having access to your expertise, essexboy, is a huge side-benefit of choosing Avast as an anti-virus program.

Cheers!
Ross