Rootkit warning - boot scan found nothing

Hi,

Last night my PC started acted odd. First I noticed that while on hxxp://www.articleblast.com/ I was constantly being redirected to a spammy survey page (even from my account pages). This only happened on Article Blast though. (The page I get automatically sent to: hxxp://consumer-deals.com–prize.info/uk/3I/3gdh/?engsec=4 )

I had a warning of sorts from Facebook and was locked out for a while, but since got back in. But, sometimes Facebook pages come up blank and need refreshing a few times.

Then my PC Tools Firewall stopped working and turned off.

I ran a scan with Avast and Malwarebytes but they found nothing.

Then a little later Avast popped up saying that it had found a rootkit virus and suggested a scan on boot. So I did that and left it scanning overnight.

This morning Avast reports “no virus found” again.

I just went to ArticleBlast again and on reading a random article I was once again redirected. So something is still not right. Maybe ArticleBlast itself has been affected and the other things I saw were just coincidence? Although 4 coincidences in one evening seem a lot!

I just downloaded and ran Mcafees Rootkit Remover and that found nothing.

Suggestions please.

This is a work PC so really need to get secure. May clear all passwords out of Chrome and Firefox to be safe though.

Update: Also ran Kaspersky Rootkit Scanner and nothing found.

Now burning the Microsoft Systemscanner (http://connect.microsoft.com/systemsweeper) to a disk. Taking a while so will get on with other things.

XX added to links.

Please modify your post to change the http to hxxp in your links so that they are not clickable, we dont want anyone getting infected now do we :wink:

nasty one there anywayz follow the guide: http://forum.avast.com/index.php?topic=53253.0

:slight_smile:

Malware Bytes log (I did a full scan while at the dentist):

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.13.02

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Jon :: JON-PC [administrator]

13/03/2012 09:14:37
mbam-log-2012-03-13 (09-14-37).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 294855
Time elapsed: 34 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

OTL.Txt and Extras.Txt reports attached

aswMBR.exe log

Do I need to Download RogueKiller too?

Got your message akama1 but do not have reply privileges.

Shall I run that too then?

While waiting for a reply I am backing up all important data and preparing for the worse!

I also just downloaded AVG Free and am running the anti-rootkit scan and it has so far found 2 items:

Corrupted section ntkrnlpa.exe[PAGE] NtQuerySystemInformation+0x4BEF, size 4 bytes
Corrupted section ntkrnlpa.exe[PAGE] RtlInitializeSid+0x96A, size 4 bytes

… still running …

OK, scan finished, neiother of them have been removed or healed. Should I force delete them (Remove all unhealed) ?

Interesting as I Googled ntkrnlpa.exe and see some people have been reported BSOD related to it. Last week my PC did crash, BSOD, first time on this PC. So this may possible be another problem. Since then there has been a Windows update.

If nothing is obvious I will probably just reinstall Windows once everything is backed up.

Although would help to not have to do that.

ntkrnlpa.exe is a legitimate windows file - remove it and your system dies

aswMBR shows no rootkit activity

OTL shows no suspicious files/loading points

If this happens on just one web site I would suspect that it has been hacked

However, to put your mind at rest we can run a deep virus scan and analysis

This programme will produce a zip file that I willl need to analyse
Could you upload it to mediafire and post the sharing link

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPfront.gif

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpsettings.gif

Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post

Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPAnalysis.gif

On completion click the link to locate the zip file to upload and attach to your next post

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPZiplocation.gif

Is there a way to find out if articleblast.com has been hacked then? - OK, a friend checked and he gets redirected too.

Still having FB strangeness - a screenshot: https://lh5.googleusercontent.com/-_xpyZrL89hk/T1-HCbbwjxI/AAAAAAAADOg/4l6yYB4Ze40/s1152/Facebook-blank.jpg - hitting refresh a few times seems to get the site working again. Suspicious though!

Kasperky running … says it will finish in 5 days. 14150 objects completed. 13 minutes gone. no threats detected (yet).

Is there a way to find out if articleblast.com has been hacked then?
seem like it have been http://sitecheck.sucuri.net/results/http://articleblast.com/ sucuri info http://sucuri.net/malware/web-site-disabled

urlQuery http://urlquery.net/report.php?id=31153

virustotal HTML scan
https://www.virustotal.com/file/32236189f24b59d900222c82a3c3c65e10be79a5daaea24fe2494c4e19c28286/analysis/1331663309/

Hmmm, so, if they know it is hacked, do they know if the virus can be passed on, and if so, what it is? Maybe I have something odd / new? Maybe I am just getting paranoid!

Update:

Kasperksy - Automatic Scan: running (events: 67072, objects: 306875, time: 04:08:57)
Still 1 day to go.
No threats found yet.

Chrome / Facebook: after Googling the problem I found a Yahoo! Answer that gave me an idea. I got under the Chrome bonnet and deleted all cookies. I then deleted several Extensions that I no longer use much.

This seems to have fixed the problem. No idea whether some old cookies or a specific extension, I got rid of a fair few, couple of SEO ones, a spell checker, 2 Google +1s, Gmail thingy, Skype thing. Something must have started upsetting Google Chrome. No idea what as I steamed in and removed them all (sorry!).

Kasperky will finish in about a week by the looks of things (8% complete after 4 hours, so I guess it could be 2 days?).

I will update you then!

You can stop the scan now if it was related to a hacked site and one of your add ons (I have never used Chrome and only played with FF)

I guess no harm in leaving it running while it is there. Almost time for bed, maybe it will be done in the morning. It is not slowing things down either.

Is there a way to find out if articleblast.com has been hacked then?

Norman lab

This site does not contain any malicious javascript or exploit, it has three tracking scripts related to ads adBrite, quantserve and Google Analytics that are possibly inserted by site admin or by some wordpress plugin.

So do they have a virus on not? The site is unusable for me, every single page results in a redirect. And same problem affected a friend that took a look for me.

I caved in. I had to turn off Kasperky. Got bored with it running!

Everything seems OK. Thanks for the tips and advice.