1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

partner37.mydomainuser malware infections

Discussion in 'Malware Removal' started by hedvix, Apr 14, 2012.

  1. hedvix

    hedvix Private E-2

    Recently I've been having problems while surfing with Firefox. Ocassionaly I'll be redirected to a page of 404 cannot be displayed.. or another page that are similar to a search engine with an address of "partner37.mydomainuser...."

    I've tried to look for solutions online, so I've tried several solutions as well. One of them from "malwarebyte.org" suggested that I should disable my firefox proxy to "no proxy"... I noticed that it did not entirely get rid of the problem, but seems like a way to get around since I still get them ocassionally, but less frequent. But the moment I changed "no proxy" to "auto-detect", the problem will occur right away.

    Usually as soon I get these error/redirect, I would close firefox and use CCcleaner to clean up tempfiles before starting firefox again, this seems to work in order to access those pages.

    I've done all the scanning (as mentioned before starting a thread) and managed to pickup few hidden malware as well, but nonetheless, the problem is still there right now.

    Attached Files:

  2. hedvix

    hedvix Private E-2

    Here are my MGlogs, since I could only attach 4 on my OP

    Attached Files:

  3. hedvix

    hedvix Private E-2

    After reading more forum thread here, I decided to give "Fixing Google Redirection/hijacking and other redirection problems " a go as well.
    So i did a scan with Goored.exe, TDSSKiller.exe, FixTDSS.exe and MBRCheck.exe

    The results of scans are attached in this reply.

    from FixTDSS.exe, i got a popup message at the end of scan saying, not sure if it is good or bad

    "Backdoor.Tidserv has not been found on your computer"

    Attached Files:

  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now we need to use ComboFix by sUBs

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    C:\Documents and Settings\Owner\Local Settings\Application Data\K5M0C7zPOAUf
    C:\Documents and Settings\All Users\Start Menu\Programs\0BC3~1 
    C:\Documents and Settings\Owner\Templates\115d1dw5jrca
    C:\Documents and Settings\Owner\Local Settings\Application Data\115d1dw5jrca
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe


    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below


    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  5. hedvix

    hedvix Private E-2

    Hello kestrel13!,

    Thank you for the reply. I've done what you asked me to do. I've attached the combofix log and Mglogs below. No errors/problems came up during those scans.

    I did notice that my host file located in WINDOWS/system32/driver/etc that was supposed to be filled by entry of blocked websites becomes empty. Did combofix do this? I copied from my backup hostfile before surfing the net.

    ~~~~ the following is what I did last night, before running these scans
    While browsing the net, I did manage to pinpoint a particular website that seems to trigger this malware/virus to redirect me to partner37.mydomainuser.... it would first start up 2 popup windows (some form of advertisement), then it will start redirecting me when I try to access random websites. (websites that I frequently visits)

    I then tried including partner37.mydomainuser in my "host" file to see if it can stop the problem. I notice that the popup still came up, but instead a redirecting me to partner37.mydomainuser, it will redirect me to an empty white page (the address of the websites still remained the same, not partner37.mydomainuser).
    My best guess is that it sort off half-block the infections with the help of my "host file". Though something is still triggering it.

    Now, After running your instruction, copying my backup host file. The infections doesn't seem to trigger.. or at least I'm not being redirected or getting a white page. It is safe to assume I am clean now?

    Attached Files:

  6. hedvix

    hedvix Private E-2

    Hi again,

    It turns out the blank "white" page that I am getting while surfing on firefox are because of my "host" file, the moment i removed "partner37.mydomainuser". The problem return right away.

    The problem is not fixed yet.

    Looking through my combofix.txt,
    I saw that there are some suspicious folder (randomname) that were deleted, but this time with different name.

    C:\Documents and Settings\All Users\Application Data\115d1dw5jrca

    I haven't deleted anything yet, but I feel that I am still infected
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No, but I notice you have spybot installed, this coudl have had some effect as it integrates with host file I believe.

    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.
    c:\documents and settings\Owner\Local Settings\Application Data\K5M0C7zPOAUf
    C:\Documents and Settings\All Users\Start Menu\Programs\0BC3~1
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  8. hedvix

    hedvix Private E-2

    I did the scan with OT. Since im on XP, it didn't give me the option to run as administrator. But I am the only user on owner to use this computer and my current user account is set as administrator.

    OT crashed at the end of the scan I beleive. My desktop becomes empty and no bottom tab were visible. I had to restart by using ctrl+alt+del, via Window Task Manager.

    When I rebooted, the logs from OT appeared as attached below.
    I checked and I am still being redirected.

    Attached Files:

  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please download this and transer it to your PC.

    Please download Farbar Service Scanner and run it on the computer with the issue.

    • Check all the boxes.
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and attach the log to your reply


    Download OTL to your desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.
  10. hedvix

    hedvix Private E-2

    Both scans went without problem/errors

    The logs are attached below.

    Also, is it safe for me to delete some of these tools once I finish using them? I know combofix requires special uninstallation procedure (combofix /uninstall), what about the others?

    Attached Files:

  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    We need to focus on solving your redirection, and until we do that, we need all the tools. Thanks. Checking those logs now.
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

  13. hedvix

    hedvix Private E-2

    Hi Kerstel,

    I did what you asked me to do and yes the moment I restore my host file to default, I am getting redirected again to partner37.mydomainuser.com
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Run this and attach the results.

    Using ESET's Online Scanner

    It will take time, so be patient. If that does not find anything I think our next best move would be to have you back up your firefox bookmarks etc and uninstall > reinstall. I will provide instructions for that later.
  15. hedvix

    hedvix Private E-2

    I did 2 scans because the first scan stalls in the middle.
    The first scans had 2 infections, 2nd scans had 4 infections.

    The logs are attached below.
    Checked afterwards, browsing with firefox and I am still being redirected.

    Attached Files:

  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    We are going to be uninstalling your old version of FireFox and installing the new version. So do the below to save bookmarks:

    • Run FireFox and click Bookmarks.
    • Then select Organize Bootmarks.
    • Then on the next window click File and then select Export. Save the bookmarks.html file to your Desktop for later use in importing.

    Now download and save the installer for the current version of FireFox but DO NOT install it yet. Get it here: Mozilla FireFox

    You will need to exit FireFox now and use Internet Explorer to continue with the below until we reinstall FireFox.

    Start by uninstalling FireFox and then reboot. Do not skip the reboot.
    After reboot, delete the below folders:

    C:\Documents and Settings\UserAccount\Local Settings\Application Data\Mozilla
    C:\Program Files\Mozilla Firefox

    where UserAccount is the actual user account name being used.

    Now reinstall FireFox from the file previously downloaded.
    Import your bookmarks file. (similar process to exporting).

    Is FireFox working okay now or is it still redirecting?
  17. hedvix

    hedvix Private E-2

    Followed the procedure as instructed, unfortunately, I am still being redirected to that website.

    With the new firefox, instead of me getting a blank white page (using the host file to block), I am instead getting an error connection page.
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Big sigh... You have been working across multiple forums. Very much frowned upon because now there are two of us on the toil to try and fix you up. It's a waste of resources. Who do you wish to work alongside, me or LDTate who probably is not aware that you have a thread here already. ? (I presume you want to stick to us as you have not posted at the other forum since 16th) You need to let them know though that they can close that thread if you're sticking here.
  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    C:\Documents and Settings\Owner\Local Settings\Application Data\blekkotb <----- Is this folder empty?? Have you ever installed something called blekko toolbar?
  20. hedvix

    hedvix Private E-2

    Oh yes, I apologize about that LTD, I didn't really check back to them. I will let them know. Sorry for the inconvenience.

    The blekkotb folder is empty and have been deleted

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds