URL Blocked 'http://rk400.com/?sov=rook-xxx'

Hi All

Long time lurker, 1st time poster :slight_smile:

Every now and then, a pop appears
http://i1080.photobucket.com/albums/j333/monkeyinawalnut/rk400.gif
and then disappears. This happens with a varying degree of regularity, some days every 5 or 10 mins and some hardly at all.

I seem to be experiencing the same issue as posted http://forum.avast.com/index.php?topic=96696.60. However I have searched for C:\Program Files\Internet Explorer\ws2help.dll but can’t seem to find it. I have run MBAM and Avast root scans but it detects nothing.

I have a ACER Aspire 5100 running Vista Home Premium SP2, 32 bit, 3gb RAM.

Is there anything you can suggest I should look or offer any help?
Cheers

See The guide here http://forum.avast.com/index.php?topic=53253.0

Attach The malwarebytes / OTL / aswMBR logs, and you Will get help later today

thanks.

I should add that the pop is displayed when using both IE8 and FF12.0, tho it appears more often when using IE.

here’s the MBAM log, I’ll get the others.

[i]Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.28.05

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19170
James :: HOME-PC [administrator]

04/05/2012 18:05:02
mbam-log-2012-05-04 (18-05-02).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 214748
Time elapsed: 10 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)[/i]

dont copy and paste next logs… attach… see attach button belowe the txt box

here are the OTL logs

A question if I may - did you install Haute Secure ? As from my reading this does a similar job to webshield and may well be causing a conflict, resulting in the alerts

I do have Haute Secure yes…is that causing the problem?

here’s the aswMBR logs - it mentions an infection File: C:\Windows\system32\drivers\int15.sys INFECTED Win32:Zeroot-B [Rtk]

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-05-04 21:09:05

21:09:05.698 OS Version: Windows 6.0.6002 Service Pack 2
21:09:05.698 Number of processors: 2 586 0x4802
21:09:05.701 ComputerName: HOME-PC UserName: James
21:09:07.777 Initialize success
21:09:11.137 AVAST engine defs: 12050401
21:09:21.442 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
21:09:21.446 Disk 0 Vendor: Hitachi_HTS541612J9SA00 SBDOC70P Size: 114473MB BusType: 3
21:09:21.464 Disk 0 MBR read successfully
21:09:21.472 Disk 0 MBR scan
21:09:21.476 Disk 0 unknown MBR code
21:09:21.481 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 7993 MB offset 63
21:09:21.500 Disk 0 Partition 2 80 (A) 06 FAT16 NTFS 53395 MB offset 16370235
21:09:21.520 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 53081 MB offset 125724690
21:09:21.531 Disk 0 scanning sectors +234436545
21:09:21.610 Disk 0 scanning C:\Windows\system32\drivers
21:09:28.111 File: C:\Windows\system32\drivers\int15.sys INFECTED Win32:Zeroot-B [Rtk]
21:09:38.975 Disk 0 trace - called modules:
21:09:39.005 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
21:09:39.381 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8612f710]
21:09:39.393 3 CLASSPNP.SYS[8a5bd8b3] → nt!IofCallDriver → [0x85fd4f08]
21:09:39.402 5 acpi.sys[89e0f6bc] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0x85fc8030]
21:09:39.968 AVAST engine scan C:\Windows
21:09:43.806 AVAST engine scan C:\Windows\system32
21:12:44.206 AVAST engine scan C:\Windows\system32\drivers
21:12:51.415 File: C:\Windows\system32\drivers\int15.sys INFECTED Win32:Zeroot-B [Rtk]
21:13:02.059 AVAST engine scan C:\Users\James
21:15:50.598 AVAST engine scan C:\ProgramData
21:18:37.774 Scan finished successfully
21:25:30.823 Disk 0 MBR has been saved successfully to “C:\Users\James\Desktop\MBR.dat”
21:25:30.836 The log file has been saved successfully to “C:\Users\James\Desktop\aswMBR.txt”

It may be however lets check that file out

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Please find the combo fix log attached…i assume i’m ok to enable Avast and HauteSecure again?

I restarted Avast and Haute Secure. Been browing using FF for about 5-10 mins and got the pop up again.

Could you do a test for me please… Disable Haute Secure for a few hours and then if no alerts occur restart it… Do the alerts come back

Sorry to say that whilst the alerts dont seem as frequent, they are still occurring with Haute Secure disabled.

Could you post a screenshot of the last alert please

sure here you go

http://i1080.photobucket.com/albums/j333/monkeyinawalnut/040512.gif

Lets see if TDSSKiller can cure the int file, if it does not we will then replace it

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

ok thanks

here’s the results of the scan…it only found ‘suspicious objects’ nothing ‘malicious’. I assume that as only suspicious objects were found, the Cure → Continue->Reboot Now instruction doesnt apply/appear.

log file attached.

OK lets see if we can find a replacement for the bad file. There will be just one log this time

[*]Run OTL. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
int15.*
/md5stop
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

thanks for your continued help with this. :slight_smile:

please the log attached.

Not a problem, I do not like to be beaten ;D

On completion could you re-run aswMBR please and post the log

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [CREATERESTOREPOINT]

:Files
C:\Windows\System32\drivers\int15.sys|C:\Acer\Empowering Technology\eRecovery\int15.sys /replace

:Commands
[emptytemp]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Hi Essexboy, do you want me to re-run aswMBR after I have run the OTL fix? Just a little bit confused as you instruct to do this ‘on completion’ but post the that instruction 1st, so wanted to make sure when the before going ahead :slight_smile:

Also I only have free MBAM and it appears that Protection tab is only active with the paid for version.