partner37.mydomainuser malware infections

Yes, still getting the error,
Server not found
Firefox can't find the server at [whatever website I decide to visit after triggering]
meanwhile my Chrome is fine

 

Explain this a bit more. Are you able to browse any websites using FireFox?

Also attach a new OTL.txt by clicking the Quick Scan button.


3BD44F0E-0596-4008-AEE0-45D47E3A8F0E - hxxp://www.threatexpert.com/report....6c9e18c-3717-4be1-a225-04e4471f5b6e}] [/SIZE]

 

Basically right now, I can browse firefox pretty fine on any website except for 1 website that works like a trigger for the redirection. As explained before, the website itself is not infected since I've tried it on a different comp. I currently set that particular website as a bookmark since I visit it on daily basis

Soo this is how the malware behaves...
I can visit any website except for that one without being directed.
The moment I visit that website.... the next website (with different address) will be redirected for me. It doesn't matter what it is, google,majorgeek forum, etc

Before, the redirection would give me a page of partner37.mydomainadvisor as I've shown on my previous post that Kerstrel helped got rid off...

Though the triggering still happens on firefox, but I no longer get redirected, but i just get an server connection page... usuually I'll need to refresh 4-5 times to get it working again, then I'll be able to browse normally again (as long I don't revisit the website to trigger it again)

Currently, I can no longer trigger the infection on Google Chrome after changing one of the settings in Chrome. I can confirm that when I change the settings back, it will trigger on Chrome as well..

Sorry if this seems confusing

 

Which website? If you don't want to post it here, attach the URL in a txt file and attach that to your next post. I will remove it once you have posted. You have too few posts to be able to PM me.

Also why do you keep changing your hosts file? Please wait until malware removal is finished before you set your personal hosts file back.

Let me know if the problem you are experiencing also occurs in Internet Explorer.

 

I've attached the link on the .txt as you've asked.
Host file has also been emptied again, sorry about that. I'll stop using my backup until you tell me to.

I don't think I actually have IE installed, It crashes whenever I launch them. I remembered trying to remove IE from my computer, I must've.

 

Got your attachment, thanks. Nothing wrong with the link, interesting that it triggers this redirection though.

Here is what I want you to do, install Internet Explorer 8. You can download it from here: http://www.microsoft.com/download/en/details.aspx?id=43

Installation will require a reboot. After IE8 has been successfully installed. Test to see if the issue occurs in IE8. Then let me know.

Code:

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

I would also like to see new logs from ComboFix and MBAM so please update both (download a new copy of ComboFix.exe) and run scans with each (one at a time). Attach the updated logs when finished. Scan with MBAM first and then ComboFix afterwards.

 

Do you want me to run a normal combofix run? Or do I use that code you've posted on CFScript?

 

Yes

No, ignore the code.

 

Did MBAM full scan, so it took a while, both logs are attached.

I installed IE and surprisingly, it doesn't seem to trigger in IE. For now, I've tried several times and it's not triggering. I've been wrong before when i said it didn't trigger on Chrome when it eventually did.

But after combofix run, it's still triggering on firefox.

 

I believe the previous fix removed the entries associated from IE. However it looks like it had some trouble with FireFox and Google Chrome.

Try these fixes and then let me know if the problem still occurs.

Please download MiniToolBox and save it to your desktop and run it.

Checkmark following checkboxes:

• Report FF Proxy Settings
• Reset FF Proxy Settings

Press Go and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.

Fix items using OTL by OldTimer

Do the following from Safe Mode
Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
DRV - (sptd) -- System32\Drivers\sptd.sys File not found
IE - HKCU\..\URLSearchHook: {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll (DeviceVM Inc.)
FF - prefs.js..network.proxy.type: 4
CHR - default_search_provider: Blekko (Enabled)
CHR - default_search_provider: search_url = http://blekko.com/?source=c3348dd4&tbp=rbox&q={searchTerms}
O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found.
O8 - Extra context menu item: &Download by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
[2011/12/31 00:57:38 | 000,001,448 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\115d1dw5jrca
[2012/01/24 02:49:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AVG
[2011/10/23 12:44:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AVG2012
[2011/08/13 11:51:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\DAEMON Tools Pro
[2011/05/05 22:28:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Uniblue
[2009/03/21 14:20:41 | 003,582,415 | ---- | C] ()(C:\Documents and Settings\Owner\My Documents\??????64 ???????×?????(????!)?.flv) -- C:\Documents and Settings\Owner\My Documents\星のばかちィ64 【ポップスター×亜美ちゃん(とらドラ！)】.flv
[2009/01/05 07:40:59 | 003,582,415 | ---- | M] ()(C:\Documents and Settings\Owner\My Documents\??????64 ???????×?????(????!)?.flv) -- C:\Documents and Settings\Owner\My Documents\星のばかちィ64 【ポップスター×亜美ちゃん(とらドラ！)】.flv
[2012/04/04 21:08:29 | 000,000,990 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Tqit.CT
[COLOR="DarkRed"]:files[/COLOR]
c:\documents and settings\Owner\Local Settings\Application Data\Conduit /d
dir "C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}" /c
dir "C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}" /c
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{20a0be68-8fd9-4539-8712-ce3d1c1fdfc6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{26c9e18c-3717-4be1-a225-04e4471f5b6e}]
[-HKEY_CLASSES_ROOT\clsid\{26c9e18c-3717-4be1-a225-04e4471f5b6e}]
[-HKEY_CLASSES_ROOT\clsid\{20a0be68-8fd9-4539-8712-ce3d1c1fdfc6}]
[COLOR="DarkRed"]:commands[/COLOR]
[clearallrestorepoints]
[emptytemp]
[resethosts]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__


Afterwards, run a Quick Scan and attach the newest OTL.txt (How to attach)

I'm also interested in seeing logs from the following.

Please download RogueKiller to your desktop.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
When it is finished, there will be a log on your desktop called: RKreport[1].txt
Attach RKreport[1].txt to your next message. (How to attach)

I want you to read and follow these instructions: TDSSKiller - How to run
Make sure you update TDSSKiller before scanning. Latest version is 2.7.31.0

 

Here are the first 4 logs.
The only thing I noticed is that RogueKiller found 1 object and I closed the program without deleting anything.

 

TDSSkiller found 11 objects, but they're in the form of unsigned files.
I choose 'skip' on all of them.

and yes, redirection still occuring on firefox

 

Code:

Unable to fix default_search_provider items.
Unable to fix default_search_provider items.
FF - user.js - File not found

Not so sure why OTL is having trouble fixing these but I think it is going to be necessary for you to completely uninstall FireFox (Use Revo Uninstaller) and then reinstall a fresh copy from here: Mozilla Firefox 11.0 Final

Try this and let me know how it goes.

 

Just to clarify, as you stated earlier; You're not actually getting "redirected" because this would mean you are still being forced to the partner37 site.

Instead, you are receiving a "cannot load this page / server" type error when browsing 1 website.

 

Yes that is correct.. Sorry to confuse you

 

I unsintalled firefox using Rev_uninstaller... I chose "Moderate" instead of "advanced" remove. Around the end, it asked me to check the bold items to delete them.. I checked them all and removed them..

After reinstalling the new firefox... I thought that the infection was gone.. Since when I first visited the -triggering-site... I wasn't receiving any error at all and was going through my bookmarks to see if any of them gets redirected (error)... It turns out, I am still receiving the error after going 3-4 bookmarks (this number varies).
All I can tell is that its a bit more less obvious? Before, the next website would definitely be redirected (error) right after triggering... Now, not so much.. but it is still there.

I also changed my settings on Chrome back to the original to check for the redirection.... And yes, I did get it... So I changed it back.

 

Just would like to update...

Please ignore my last message about it being less obvious or harder to trigger... It just went back to the previous behavior which is redirecting the next website after more testing.

 

Can you screenshot the problems you are experiencing now. In both Google Chrome and FireFox.

 

Attached both screenshot.
I added some error console for the firefox.
Don't really know my way around Chrome unfortunately...

 

Hi,

After reviewing these screenshots, this does not appear to be malware related.

See the following topics/discussions on your issue:

• http://stackoverflow.com/questions/...ission-denied-for-https-www-facebook-com-to-g
• http://stackoverflow.com/questions/...ion-permission-denied-to-proxy-installtrigger
• http://stackoverflow.com/questions/...ied-for-http-www-facebook-com-to-get-property
• https://bugzilla.mozilla.org/show_bug.cgi?id=701029

If none of the above resolves your issue, we have a Software forum that is better suited for these types of discussions.

__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

This does appear or this doesn't appear?

 

Sorry. Does not.

 

Sorry if I wasted your time if this has been a software problem after all... Thanks again for all of your time in helping me..
If I may ask, have my computer been clean for a while? Can I go ahead and create a restore point at this stage?

 

You're welcome.

I would follow the cleanup instructions in the order given. I actually had OTL flush most your restore points a few posts ago. There shouldn't be many but you can flush them again and create a new one if you'd like.

 

Hi just would like to let you know,
after following the clean up procedure and the "how to protect yourself with malware"... The error is now gone from firefox.

Things I installed:
Spybot SnD
AVG 2012
AVG firewall
Spyware Blaster
Comodo DNS