[SOLVED] VIRUS/Rootkit => URL Blocked http://rk400.com/?sov=rook-s1ysoft.com

I didn’t want to repost this entire thread so here is the link: http://forum.avast.com/index.php?topic=95962.0
At this point I’m trying to figure out if there is malware or virus generating this request and if not how to supress the message ?
You can see from referenced thread the system appears clean and this pops up as soon as I open IE8.

Thx.

Follow this guide and attach the logs from malwarebytes quick scan / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

when done one of the malware removal specialists will help you…you may have to wait untill tomorrow night

Thx…I will have to set aside some time and download and run all scans to post.

I’ll repost details in few days.

Regards.

Here are the MBAM & OTL logs.
I have the Avast (which shows no threats) but is 2MB…guess I can’t upload that file ?

Here are the RK logs…

The popup still happens after I followed the instructions per the link and rebooted PC.

Here is aswMBR log.

I do have RollBack RX installed on this computer and I know it changes the MBR so I did not try to “fix” by this replacing a new MBR.
I would need to uninstall RX first then proceed with fix.

Please help on any suggestions…I’m at my wits end…frustrating. :frowning:

Thx !

Essexboy,

I have not done aything else but have been reading on ComboFix, TDSSKiller & Kasperky Resue Disc 10.
I’ll wait for instructions from first.

Also, key to note…

  • I do have Macrium Reflect on the machine so will take full image prior.
  • I also have Horizon DataSys RollBack RX(http://www.horizondatasys.com/169614.ihtml) installed which is great program but machine was infected past and past snapshot point. This program does alter the MBR and the state of the physical HDD is the baseline…not all the new edits/changes. Also, they warn of software A/V programs that load prior to their POST console driver load or very low level stuff…guess can cause issues. Thus, I’d probably need to uninstall this first and have the XP Pro SP3 machine in a normal Windows O/S state…no RollBackRX in MBR.

Thx.

Hi,

The aswMBR log looks ok…let me look over the other logs and I will return as quickly as I can. For the time being could you let me know exactly what symptoms you are experiencing that makes you think it might be malware. :slight_smile:

Hi,

It seems you had Norton/Symantec on your system at one time and some of the files are still hanging around. Download and run the tool here >> ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe to remove all of Symantec.

Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {530BA5C2-9B7B-45A3-A57E-52197F6C7ABC}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=843&query={SearchTerms}&invocationType=tb50-ie-dlink-chromesbox-en-us
O1 - Hosts: 192.168.1.103 NPI99CF7E
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O15 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..Trusted Domains: shift.co.kr ([www] http in Trusted sites)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2007/02/18 14:42:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint

:Files
ipconfig /flushdns /c

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"=-
"2869:TCP"=-
"139:TCP"=
"445:TCP"=
"137:UDP"=
"138:UDP"=
"10243:TCP"=-
"10280:UDP"=-
"10281:UDP"=-
"10282:UDP"=-
"10283:UDP"=-
"10284:UDP"=-
"3389:TCP"=-
"5985:TCP"=- 
"80:TCP"=-

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

What happens is every time I open IE8 the Avast Web Shield pops-up that URL Blocked http://rk400.com/?sov=rook-s1ysoft.com, THREAT Detected and Blocked. Looking on the web this appears to be a bad site…known. This Avast popup happens two-three times then stops. The thing is I’ve done nothing but open IE8…Google or Yahoo home page…nothing typed in. I’m glad Avast blocks it but something in the PC is seeing explorer come up and is trying to access the site…thus, I assume a Malware or Rootkit type thing. Does that make sense ?

Thx…I’ll try this tommorow…late here on East Coast and I have early morning appt !

I’ve used ERUNT for years…like it alot…think when I cleaned this PC origonally I forgot to put it back on…I’ll do that.
Also, thx for the cleaner link on Norton…I used to have it then AVG, now Avast. Not to be negative to Norton or AVG but they went from great products to total bloat-wear on my PCs…I love Avast…wow !

Hi,

Take your time with running the fix.

Not to be negative to Norton or AVG but they went from great products to total bloat-wear on my PCs......I love Avast.....wow !
Let's make sure all of AVG is removed as well. Download and run the removal tool found here >> http://download.avg.com/filedir/util/support/avg_remover_stf_x86_2011_1322.exe

OK…AVG & Norton cleaners run…thx !!!

I also attached is the log file after running the custom scan with your paste code. Note, I DID check LOP Check & Purity for this run since you said for the next not to do so…so my assumption was you wanted me to on first run with the code.

Here is the scan log after…LOP Check & Purity not checked.

Thx in advance for the help !!!

Hi,

Thx in advance for the help !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
You are more than welcome. :) --------------

Malwarebytes

I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

[*]Please go here then click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif

[*]

Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

[*]Select the option YES, I accept the Terms of Use then click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif

[*]When prompted allow the Add-On/Active X to install.
[*]Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
[*]Now click on Advanced Settings and select the following:

[*]Scan for potentially unwanted applications
[*]Scan for potentially unsafe applications
[*]Enable Anti-Stealth Technology

[*]Now click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif

[*]The virus signature database… will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
[*]When completed the Online Scan will begin automatically.
[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
[*]Now click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

In your next reply let me know how your system is running and attach the logs made by Malwarebytes and ESET online scanner.

Jeff, thx.

I have MBAM installed but not enabled as realtime so it won’t conflict with Avast which is always on.
I’ll run a Quick Scan and post but you saw above in thread a ran a FULL scan in MBAM prior ?..nothing found.

Also, how were the new OTL scan logs after your script you had me run with FIX ?
As FYI, I no longer have this popping up but to be honest this happened a little while back…was gone for day or so then back again.

Lastly, did you see my aswMBR log above ?..it had this item…problem ?
12:50:18.812 Disk 0 MBR [possible unknown bootkit@MBR] ROOTKIT
I am taking the family on Easter weekend to relatives so may be Monday before I can run the ESET Online scanner.

Hi,

Have a great time with your family over Easter. It is no problem to leave this open. :slight_smile:

I like to have Malwarebytes run again towards the end in case we shook anything else loose.

The OTL logs were looking pretty good. With Malwarebytes and ESET we are checking for anything left lurking.

The entry that you saw in the aswMBR log is directly related to the RollBack RX on your system. The program itself uses some technology that is seen as a rootkit but it is not actually. :slight_smile:

I have MBAM installed but not enabled as realtime so it won't conflict with Avast which is always on.
it usually dont.......never happend to me

if it does…this is how to avoid it - section K

http://forums.malwarebytes.org/index.php?s=54147ebdfdd762abba4d26e1e564e442&showtopic=10138&view=findpost&p=417798

Here is the MBAM Quick Scan…nothing found.
I’m calling it quits and will run the ESET Online Scanner Monday…have a great weekend !!!

I'm calling it quits and will run the ESET Online Scanner Monday......have a great weekend !!!
You have a great weekend too. If I happen to overlook the log on Monday please send me a PM. :)