MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 04-13-12, 23:37
hedvix hedvix is offline
Private First Class
 
Join Date: Apr 2012
Posts: 38
Thanks: 9
Thanked 0 Times in 0 Posts
Default partner37.mydomainuser malware infections

Hello,
Recently I've been having problems while surfing with Firefox. Ocassionaly I'll be redirected to a page of 404 cannot be displayed.. or another page that are similar to a search engine with an address of "partner37.mydomainuser...."

I've tried to look for solutions online, so I've tried several solutions as well. One of them from "malwarebyte.org" suggested that I should disable my firefox proxy to "no proxy"... I noticed that it did not entirely get rid of the problem, but seems like a way to get around since I still get them ocassionally, but less frequent. But the moment I changed "no proxy" to "auto-detect", the problem will occur right away.

Usually as soon I get these error/redirect, I would close firefox and use CCcleaner to clean up tempfiles before starting firefox again, this seems to work in order to access those pages.

I've done all the scanning (as mentioned before starting a thread) and managed to pickup few hidden malware as well, but nonetheless, the problem is still there right now.
Attached Files
File Type: log SUPERAntiSpyware Scan Log - 04-14-2012 - 12-09-55.log (702 Bytes, 4 views)
File Type: txt mbam-log-2012-04-14 (12-21-11).txt (2.1 KB, 4 views)
File Type: txt combofixlog.txt (24.3 KB, 11 views)
File Type: txt RRlog.txt (3.8 KB, 4 views)
Reply With Quote
Sponsored links
  #2  
Old 04-13-12, 23:58
hedvix hedvix is offline
Private First Class
 
Join Date: Apr 2012
Posts: 38
Thanks: 9
Thanked 0 Times in 0 Posts
Default Re: partner37.mydomainuser malware infections

Here are my MGlogs, since I could only attach 4 on my OP
Attached Files
File Type: zip MGlogs.zip (174.7 KB, 3 views)
Reply With Quote
  #3  
Old 04-14-12, 10:29
hedvix hedvix is offline
Private First Class
 
Join Date: Apr 2012
Posts: 38
Thanks: 9
Thanked 0 Times in 0 Posts
Default Re: partner37.mydomainuser malware infections

Hello,
After reading more forum thread here, I decided to give "Fixing Google Redirection/hijacking and other redirection problems " a go as well.
So i did a scan with Goored.exe, TDSSKiller.exe, FixTDSS.exe and MBRCheck.exe

The results of scans are attached in this reply.

from FixTDSS.exe, i got a popup message at the end of scan saying, not sure if it is good or bad

"Backdoor.Tidserv has not been found on your computer"
Attached Files
File Type: txt GooredFix.txt (2.0 KB, 3 views)
File Type: txt TDSSKiller.2.7.28.0_14.04.2012_21.40.56_log.txt (82.0 KB, 6 views)
File Type: txt MBRCheck_04.15.12_01.23.11.txt (10.0 KB, 5 views)
Reply With Quote
  #4  
Old 04-15-12, 18:45
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,349
Thanks: 906
Thanked 3,568 Times in 3,484 Posts
Default Re: partner37.mydomainuser malware infections

Now we need to use ComboFix by sUBs
  • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
  • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
  • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
  • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
Code:
KILLALL::

DirLook::
C:\Documents and Settings\Owner\Local Settings\Application Data\K5M0C7zPOAUf
File::
C:\Documents and Settings\All Users\Start Menu\Programs\0BC3~1 
C:\Documents and Settings\Owner\Templates\115d1dw5jrca
C:\Documents and Settings\Owner\Local Settings\Application Data\115d1dw5jrca
Folder::
c:\windows\D56B0E274A3E46C9B5C1D93D580C099C.TMP
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe



  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #5  
Old 04-16-12, 00:44
hedvix hedvix is offline
Private First Class
 
Join Date: Apr 2012
Posts: 38
Thanks: 9
Thanked 0 Times in 0 Posts
Default Re: partner37.mydomainuser malware infections

Hello kestrel13!,

Thank you for the reply. I've done what you asked me to do. I've attached the combofix log and Mglogs below. No errors/problems came up during those scans.

I did notice that my host file located in WINDOWS/system32/driver/etc that was supposed to be filled by entry of blocked websites becomes empty. Did combofix do this? I copied from my backup hostfile before surfing the net.

~~~~ the following is what I did last night, before running these scans
While browsing the net, I did manage to pinpoint a particular website that seems to trigger this malware/virus to redirect me to partner37.mydomainuser.... it would first start up 2 popup windows (some form of advertisement), then it will start redirecting me when I try to access random websites. (websites that I frequently visits)

I then tried including partner37.mydomainuser in my "host" file to see if it can stop the problem. I notice that the popup still came up, but instead a redirecting me to partner37.mydomainuser, it will redirect me to an empty white page (the address of the websites still remained the same, not partner37.mydomainuser).
My best guess is that it sort off half-block the infections with the help of my "host file". Though something is still triggering it.
~~~~~

Now, After running your instruction, copying my backup host file. The infections doesn't seem to trigger.. or at least I'm not being redirected or getting a white page. It is safe to assume I am clean now?
Attached Files
File Type: txt ComboFix.txt (21.3 KB, 3 views)
File Type: zip MGlogs.zip (177.4 KB, 1 views)
Reply With Quote
Sponsored links
  #6  
Old 04-16-12, 07:42
hedvix hedvix is offline
Private First Class
 
Join Date: Apr 2012
Posts: 38
Thanks: 9
Thanked 0 Times in 0 Posts
Default Re: partner37.mydomainuser malware infections

Hi again,

It turns out the blank "white" page that I am getting while surfing on firefox are because of my "host" file, the moment i removed "partner37.mydomainuser". The problem return right away.

The problem is not fixed yet.

Looking through my combofix.txt,
I saw that there are some suspicious folder (randomname) that were deleted, but this time with different name.

c:\windows\1C4551A64743409391E41477CD655043.TMP
c:\windows\1C4551A64743409391E41477CD655043.TMP\WiseCustomCalla.dll
C:\Documents and Settings\All Users\Application Data\115d1dw5jrca

I haven't deleted anything yet, but I feel that I am still infected
Reply With Quote
  #7  
Old 04-16-12, 10:54
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,349
Thanks: 906
Thanked 3,568 Times in 3,484 Posts
Default Re: partner37.mydomainuser malware infections

Quote:
I did notice that my host file located in WINDOWS/system32/driver/etc that was supposed to be filled by entry of blocked websites becomes empty. Did combofix do this?
No, but I notice you have spybot installed, this coudl have had some effect as it integrates with host file I believe.

Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.
  • Right-click OTM.exe And select " Run as administrator " to run it.
  • Paste the following code under the area. Do not include the word Code.
Code:
:Processes
explorer.exe

:services
Audsqtarwipt

:files
c:\documents and settings\Owner\Local Settings\Application Data\K5M0C7zPOAUf
C:\Documents and Settings\All Users\Start Menu\Programs\0BC3~1

:Commands
[emptytemp]
[Reboot]
  • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Push the large button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #8  
Old 04-16-12, 19:05
hedvix hedvix is offline
Private First Class
 
Join Date: Apr 2012
Posts: 38
Thanks: 9
Thanked 0 Times in 0 Posts
Default Re: partner37.mydomainuser malware infections

I did the scan with OT. Since im on XP, it didn't give me the option to run as administrator. But I am the only user on owner to use this computer and my current user account is set as administrator.

OT crashed at the end of the scan I beleive. My desktop becomes empty and no bottom tab were visible. I had to restart by using ctrl+alt+del, via Window Task Manager.

When I rebooted, the logs from OT appeared as attached below.
I checked and I am still being redirected.
Attached Files
File Type: log OT_log.log (3.9 KB, 4 views)
File Type: zip MGlogs.zip (179.0 KB, 8 views)
Reply With Quote
  #9  
Old 04-17-12, 08:13
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,349
Thanks: 906
Thanked 3,568 Times in 3,484 Posts
Default Re: partner37.mydomainuser malware infections

Please download this and transer it to your PC.

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Check all the boxes.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and attach the log to your reply


Also:

Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Attach both of these logs into your next reply.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #10  
Old 04-18-12, 10:42
hedvix hedvix is offline
Private First Class
 
Join Date: Apr 2012
Posts: 38
Thanks: 9
Thanked 0 Times in 0 Posts
Default Re: partner37.mydomainuser malware infections

I did 2 scans because the first scan stalls in the middle.
The first scans had 2 infections, 2nd scans had 4 infections.

The logs are attached below.
Checked afterwards, browsing with firefox and I am still being redirected.
Attached Files
File Type: txt eset1.txt (309 Bytes, 2 views)
File Type: txt eset2.txt (445 Bytes, 2 views)
Reply With Quote
Sponsored links
  #11  
Old 04-18-12, 11:22
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,349
Thanks: 906
Thanked 3,568 Times in 3,484 Posts
Default Re: partner37.mydomainuser malware infections

We are going to be uninstalling your old version of FireFox and installing the new version. So do the below to save bookmarks:
  • Run FireFox and click Bookmarks.
  • Then select Organize Bootmarks.
  • Then on the next window click File and then select Export. Save the bookmarks.html file to your Desktop for later use in importing.

Now download and save the installer for the current version of FireFox but DO NOT install it yet. Get it here: Mozilla FireFox

You will need to exit FireFox now and use Internet Explorer to continue with the below until we reinstall FireFox.

Start by uninstalling FireFox and then reboot. Do not skip the reboot.
After reboot, delete the below folders:

C:\Documents and Settings\UserAccount\Local Settings\Application Data\Mozilla
C:\Program Files\Mozilla Firefox

where UserAccount is the actual user account name being used.

Now reinstall FireFox from the file previously downloaded.
Import your bookmarks file. (similar process to exporting).


Is FireFox working okay now or is it still redirecting?
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #12  
Old 04-18-12, 18:41
hedvix hedvix is offline
Private First Class
 
Join Date: Apr 2012
Posts: 38
Thanks: 9
Thanked 0 Times in 0 Posts
Default Re: partner37.mydomainuser malware infections

Followed the procedure as instructed, unfortunately, I am still being redirected to that website.

With the new firefox, instead of me getting a blank white page (using the host file to block), I am instead getting an error connection page.
Reply With Quote
  #13  
Old 04-18-12, 18:57
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,349
Thanks: 906
Thanked 3,568 Times in 3,484 Posts
Default Re: partner37.mydomainuser malware infections

Big sigh... You have been working across multiple forums. Very much frowned upon because now there are two of us on the toil to try and fix you up. It's a waste of resources. Who do you wish to work alongside, me or LDTate who probably is not aware that you have a thread here already. ? (I presume you want to stick to us as you have not posted at the other forum since 16th) You need to let them know though that they can close that thread if you're sticking here.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #14  
Old 04-18-12, 19:03
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,349
Thanks: 906
Thanked 3,568 Times in 3,484 Posts
Default Re: partner37.mydomainuser malware infections

C:\Documents and Settings\Owner\Local Settings\Application Data\blekkotb <----- Is this folder empty?? Have you ever installed something called blekko toolbar?
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
The Following User Says Thank You to Kestrel13! For This Useful Post:
hedvix (04-19-12)
  #15  
Old 04-18-12, 21:31
hedvix hedvix is offline
Private First Class
 
Join Date: Apr 2012
Posts: 38
Thanks: 9
Thanked 0 Times in 0 Posts
Default Re: partner37.mydomainuser malware infections

Oh yes, I apologize about that LTD, I didn't really check back to them. I will let them know. Sorry for the inconvenience.

The blekkotb folder is empty and have been deleted
Reply With Quote
Sponsored links
  #16  
Old 04-19-12, 04:12
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,349
Thanks: 906
Thanked 3,568 Times in 3,484 Posts
Default Re: partner37.mydomainuser malware infections

Back up your firefox bookmarks again. Uninstall Firefox as previously instructed, but now do NOT reinstall it yet!!!!! Instead do this:

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.


Is Internet Explorer okay?? Does that redirect? (Do not reinstall Firefox until I say)
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
The Following User Says Thank You to Kestrel13! For This Useful Post:
hedvix (04-19-12)
  #17  
Old 04-19-12, 05:33
hedvix hedvix is offline
Private First Class
 
Join Date: Apr 2012
Posts: 38
Thanks: 9
Thanked 0 Times in 0 Posts
Default Re: partner37.mydomainuser malware infections

Firefox is now uninstalled. I'm currently using Google Chrome, and to clarify that the infection doesn't occur when I'm using Google Chrome.

Here are the MGlOgs
Attached Files
File Type: zip MGlogs.zip (42.1 KB, 3 views)
Reply With Quote
  #18  
Old 04-19-12, 06:15
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,349
Thanks: 906
Thanked 3,568 Times in 3,484 Posts
Default Re: partner37.mydomainuser malware infections

What about IE?
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
The Following User Says Thank You to Kestrel13! For This Useful Post:
hedvix (04-19-12)
  #19  
Old 04-19-12, 06:21
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,349
Thanks: 906
Thanked 3,568 Times in 3,484 Posts
Default Re: partner37.mydomainuser malware infections

We also did not do this properly before. (My Fault)



For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #20  
Old 04-19-12, 06:26
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,349
Thanks: 906
Thanked 3,568 Times in 3,484 Posts
Default Re: partner37.mydomainuser malware infections

When you have finished that do this:

Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.
  • cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
  • ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.
Now look for the C:\MGlogs.zip file and attach it no matter what happened while doing the above.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
The Following User Says Thank You to Kestrel13! For This Useful Post:
hedvix (04-19-12)
Sponsored links
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Various malware/rootkit/trojan infections Jackers Malware Removal 2 11-30-10 17:36
multipule malware infections smssoleimani Malware Removal 1 05-26-09 14:10
malware infections nachito3 Malware Removal 3 05-14-08 22:03
malware infections aaronfr Malware Removal 8 03-04-07 14:34
Please help - Trojans, malware infections!! FaMaK Malware Removal 1 08-16-06 00:59


All times are GMT -5. The time now is 12:35.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger