See: http://zulu.zscaler.com/submission/show/eb71b5436884864926b377c4192b580e-1335287746
See: cyanmite dot com/ benign
[nothing detected] cyanmite dot com/
status: (referer=http:/twitter.com/trends/)saved 2664 bytes 6db79d370a173e04908b3752d3be605ca499d50b
info: [img] cyanmite dot com/pix/KCS-Website-072110.png
info: [decodingLevel=0] found JavaScript
suspicious:
Delete browser history and it appears to be gone.
Bitdefender TrafficLight flags it: htxp://trafficlight.bitdefender.com/info?url=http://www.cyanmite.com/
Also see: htxp://www.webutation.net/go/review/cyanmite.com#
HTML related but non-malicious?
Zulu says the css file is malicious, however, I do not see anything malicious about it. The analysis times 04/24/2012 at 17:15 PST. The time differences are close, yet the malware appears to have been taken down from this potentially malicious css file.
This is more or less speculative on my site, but analyzing the IP range, cleansed malware could have been an attempt to get more backlinks through an IE vulnerability. This could have meant that a “SutraTDS HTTP GET request” was being flagged, a known browser hijacker to redirect to questionable sites,
Polonus,
After reading your posts on several threads, please apply your excellent expertise to following:
I installed AVAST a few days ago, and am sorry I hadn´t done so sooner … excellent!
Avast has detected HTML:Framer-D and I could not find a Avast User Forum regarding this particular type of Framer (-D), but assume it is as bad as the others, right.
Any suggestions on the best way to remove?
I did try a few freewares that promised to remove it … didn´t (!) and caused pc to freeze. Thank goodness for windows system restore!
Did you do a scan with MBAM? An additional emptying of all temp files using CCleaner is also preferred. Then reboot.
This seems a koobface variant. To cleanse it further you need the assistance of a qualified malware remover. I have informed jeffce.
He will soon look into this issue, and will propose a specific scan to obtain the log results thereof,
Please visit the site located here. Follow the directions
for running OTL, aswMBR.exe and Malwarebytes and then attach the logs that are created to your next reply.
While I am looking over these please do the following and we will get an Extras.txt log.
Please open OTL.
[*]Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, click the None button near the top (it may looked greyed out)
[*]In the Extra Registry section change it to All
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open 2 notepad windows, OTL.Txt and Extra.txt. Please post the Extra.txt.
Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
If you are running Malwarebytes 1.6 or better, please disable it for the duration of this run.
To disable Malwarebytes
[*]Open the scanner and select the Protection tab
[*]Remove the tick from “Start Protection Module with Windows” as seen below
[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{cca2e567-1987-4100-a3c6-5b4267084510}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=YKman000&ptnrS=YKman000&ptb=B93EF59B-8E38-4310-A503-B116B8A4D752&psa=&ind=2012041912&st=sb&n=77ed52b8&searchfor={searchTerms}
IE - HKU\S-1-5-21-602162358-1801674531-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = F4 37 FC 8B AD C7 CA 01 [binary data]
IE - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?FORM=IEFM1&q={searchTerms}&src={referrer:source?}
[2012-06-29 20:51:17 | 000,000,000 | ---D | M] (uTorrentControl2 Community Toolbar) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}
O3 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..\Toolbar\WebBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No CLSID value found.
O3 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O3 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
O3 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKU\.DEFAULT..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f File not found
O4 - HKU\.DEFAULT..\RunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f File not found
O4 - HKU\S-1-5-18..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f File not found
O4 - HKU\S-1-5-18..\RunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f File not found
O15 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..Trusted Domains: //@surf.mar@/ ([]money in Local intranet)
O15 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..Trusted Domains: itau.com.br ([bankline] https in Trusted sites)
O15 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..Trusted Domains: itau.com.br ([guardiao] https in Trusted sites)
O15 - HKU\S-1-5-21-602162358-1801674531-839522115-1004\..Trusted Domains: itau.com.br ([www] http in Trusted sites)
O33 - MountPoints2\{81019e87-32ef-11df-ae5e-e29dd75b0cf6}\Shell - "" = AutoRun
O33 - MountPoints2\{81019e87-32ef-11df-ae5e-e29dd75b0cf6}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{81019e87-32ef-11df-ae5e-e29dd75b0cf6}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
[2012-06-29 20:51:14 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2012-06-29 20:50:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bob\Local Settings\Application Data\Conduit
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Bob\*.tmp files -> C:\Documents and Settings\Bob\*.tmp -> ]
[2010-03-20 15:29:30 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Bob\Application Data\inst.exe
[2010-03-20 08:15:50 | 000,109,568 | ---- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
:Files
C:\WINDOWS\tasks\At*.job
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
Jeff … both logs attached.
Looking forward to your comments!
Also, Avast regular scans (quick + full) do not pick up virus.
Virus is reported when running Boot-time scan and reports:
C:\Documentos and Settings\Mami\local settingds\Application Data\Identities{711E9619-D929-445F-B16F-3E5FCA6B3980}\microsoft\OutlookExpress\Inbox.dbx|>60Segundos_Bellisimo06_C.eml#62042144|>60Segundos_Bellisimo06_C.pps#1890203406|>Pictures
Even though you might like to do so, please don’t run any scans unless asked to. You may inadvertently remove something that we need to see. Thanks.
Malwarebytes
I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
Please run a free online scan with the ESET Online Scanner [i]Note: You will need to use Internet Explorer for this scan[/i]
[*]Tick the box next to YES, I accept the Terms of Use
[*]Click Start
[*]When asked, allow the ActiveX control to install
[*]Click Start
[*]Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
[*]Click Scan (This scan can take several hours, so please be patient)
[*]Once the scan is completed, you may close the window Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner[b]log.txt
[*]Copy and paste that log as a reply to this topic
In your next reply please attach the logs made by Malwarebytes and ESET.
ESET run on IE8 with serious problems as expected.
Crashed and froze before generating attached log on third attempt!
IE8 has not NOT run well for several months, prompting move to Chrome.
Every time I open IE8 for any reason it crashes … no problems w/Chrome.
logs attached.
BTW … Googled for info on IE8 problem and did a Tools > INternet OPtions > Advanced > Reset and apparently IE8 is now working fine. Hope this doesn´t effect our actions here.
Sorry … I got off the subject.
Yes I have a malware issue HTML:Framer-D virus
Avast Quick scan = not detected
Avast Full scan = not detected
Avast Boot scan = DETECTED
C:\Documents and Settings\Mami\Local Settings\Application Data\Identities{711E9619-D929-445F-B16F-3E5FCa6B3980}\Microsoft\OutlookExpress\Inbox.dbx|>60Segundos_Bellisimo06_C.eml#62042144|>60Segundos_Bellisimo06_C.pps#1890203406|>Pictures is infected by HTML:Framer-D
Trying to Delete\Move\Repair generates Error 42060
Request assistance in removing this virus.
Should a new thread be opened for this topic?
You are sure, you have only one resident av solution running? Mind you, that AVG reported a false positive for this HTML:Framer-D detection,
Was the flagged file a slidesshare file by any means? The error you got means that the system cannot open that file. You could go to folder options- show hidden files- and find it and then establish what is locking it…did you try to repair a file that avast could not repair?
Only one resident AV … Avast.
Used AVG for along time but recently changed to Avast … and quite happy about it, BTW.
I assume the file is question is “60Segundos_Bellisimo06_C.pps” and is/was a PowerPoint attachment to an email in the Outlook Express inbox.
I couldn´t find any emails in Outlook Express with this attachment.
Several Win EXplorer searches with different wildcards also could not locate any files with this name.
Folders options is set to show hidden files.
I´m considering reinstalling AVG to see if it picks up the supposed virus, unless you have a better recommendation.
Finally, what do you mean by “try to repair a file that avast could not repair?”
[*]Extract it to your desktop
[*]Double click TDSSKiller.exe
[*]when the window opens, click on Change Parameters
[*]under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
[*]click OK
[*]Press Start Scan
[*]Only if Malicious objects are found then ensure Cure is selected
[*]Then click Continue > Reboot now
[*]Attach the log in your next reply
[*]A copy of the log will be saved automatically to the root of the drive (typically C:)