partner37.mydomainuser malware infections

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by hedvix, Apr 14, 2012.

  1. hedvix

    hedvix Private E-2

    Hello,
    Recently I've been having problems while surfing with Firefox. Ocassionaly I'll be redirected to a page of 404 cannot be displayed.. or another page that are similar to a search engine with an address of "partner37.mydomainuser...."

    I've tried to look for solutions online, so I've tried several solutions as well. One of them from "malwarebyte.org" suggested that I should disable my firefox proxy to "no proxy"... I noticed that it did not entirely get rid of the problem, but seems like a way to get around since I still get them ocassionally, but less frequent. But the moment I changed "no proxy" to "auto-detect", the problem will occur right away.

    Usually as soon I get these error/redirect, I would close firefox and use CCcleaner to clean up tempfiles before starting firefox again, this seems to work in order to access those pages.

    I've done all the scanning (as mentioned before starting a thread) and managed to pickup few hidden malware as well, but nonetheless, the problem is still there right now.
     

    Attached Files:

  2. hedvix

    hedvix Private E-2

    Here are my MGlogs, since I could only attach 4 on my OP
     

    Attached Files:

  3. hedvix

    hedvix Private E-2

    Hello,
    After reading more forum thread here, I decided to give "Fixing Google Redirection/hijacking and other redirection problems " a go as well.
    So i did a scan with Goored.exe, TDSSKiller.exe, FixTDSS.exe and MBRCheck.exe

    The results of scans are attached in this reply.

    from FixTDSS.exe, i got a popup message at the end of scan saying, not sure if it is good or bad

    "Backdoor.Tidserv has not been found on your computer"
     

    Attached Files:

  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now we need to use ComboFix by sUBs

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    DirLook::
    C:\Documents and Settings\Owner\Local Settings\Application Data\K5M0C7zPOAUf
    File::
    C:\Documents and Settings\All Users\Start Menu\Programs\0BC3~1 
    C:\Documents and Settings\Owner\Templates\115d1dw5jrca
    C:\Documents and Settings\Owner\Local Settings\Application Data\115d1dw5jrca
    Folder::
    c:\windows\D56B0E274A3E46C9B5C1D93D580C099C.TMP
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
  5. hedvix

    hedvix Private E-2

    Hello kestrel13!,

    Thank you for the reply. I've done what you asked me to do. I've attached the combofix log and Mglogs below. No errors/problems came up during those scans.

    I did notice that my host file located in WINDOWS/system32/driver/etc that was supposed to be filled by entry of blocked websites becomes empty. Did combofix do this? I copied from my backup hostfile before surfing the net.

    ~~~~ the following is what I did last night, before running these scans
    While browsing the net, I did manage to pinpoint a particular website that seems to trigger this malware/virus to redirect me to partner37.mydomainuser.... it would first start up 2 popup windows (some form of advertisement), then it will start redirecting me when I try to access random websites. (websites that I frequently visits)

    I then tried including partner37.mydomainuser in my "host" file to see if it can stop the problem. I notice that the popup still came up, but instead a redirecting me to partner37.mydomainuser, it will redirect me to an empty white page (the address of the websites still remained the same, not partner37.mydomainuser).
    My best guess is that it sort off half-block the infections with the help of my "host file". Though something is still triggering it.
    ~~~~~

    Now, After running your instruction, copying my backup host file. The infections doesn't seem to trigger.. or at least I'm not being redirected or getting a white page. It is safe to assume I am clean now?
     

    Attached Files:

  6. hedvix

    hedvix Private E-2

    Hi again,

    It turns out the blank "white" page that I am getting while surfing on firefox are because of my "host" file, the moment i removed "partner37.mydomainuser". The problem return right away.

    The problem is not fixed yet.

    Looking through my combofix.txt,
    I saw that there are some suspicious folder (randomname) that were deleted, but this time with different name.

    c:\windows\1C4551A64743409391E41477CD655043.TMP
    c:\windows\1C4551A64743409391E41477CD655043.TMP\WiseCustomCalla.dll
    C:\Documents and Settings\All Users\Application Data\115d1dw5jrca

    I haven't deleted anything yet, but I feel that I am still infected
     
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No, but I notice you have spybot installed, this coudl have had some effect as it integrates with host file I believe.

    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.
    Code:
    :Processes
    explorer.exe
    
    :services
    Audsqtarwipt
    
    :files
    c:\documents and settings\Owner\Local Settings\Application Data\K5M0C7zPOAUf
    C:\Documents and Settings\All Users\Start Menu\Programs\0BC3~1
    
    :Commands
    [emptytemp]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
  8. hedvix

    hedvix Private E-2

    I did the scan with OT. Since im on XP, it didn't give me the option to run as administrator. But I am the only user on owner to use this computer and my current user account is set as administrator.

    OT crashed at the end of the scan I beleive. My desktop becomes empty and no bottom tab were visible. I had to restart by using ctrl+alt+del, via Window Task Manager.

    When I rebooted, the logs from OT appeared as attached below.
    I checked and I am still being redirected.
     

    Attached Files:

  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please download this and transer it to your PC.

    Please download Farbar Service Scanner and run it on the computer with the issue.

    • Check all the boxes.
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and attach the log to your reply


    Also:

    Download OTL to your desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.
     
  10. hedvix

    hedvix Private E-2

    Both scans went without problem/errors

    The logs are attached below.

    Also, is it safe for me to delete some of these tools once I finish using them? I know combofix requires special uninstallation procedure (combofix /uninstall), what about the others?
     

    Attached Files:

  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    We need to focus on solving your redirection, and until we do that, we need all the tools. Thanks. Checking those logs now.
     
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

  13. hedvix

    hedvix Private E-2

    Hi Kerstel,

    I did what you asked me to do and yes the moment I restore my host file to default, I am getting redirected again to partner37.mydomainuser.com
     
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Run this and attach the results.

    Using ESET's Online Scanner

    It will take time, so be patient. If that does not find anything I think our next best move would be to have you back up your firefox bookmarks etc and uninstall > reinstall. I will provide instructions for that later.
     
  15. hedvix

    hedvix Private E-2

    I did 2 scans because the first scan stalls in the middle.
    The first scans had 2 infections, 2nd scans had 4 infections.

    The logs are attached below.
    Checked afterwards, browsing with firefox and I am still being redirected.
     

    Attached Files:

  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    We are going to be uninstalling your old version of FireFox and installing the new version. So do the below to save bookmarks:

    • Run FireFox and click Bookmarks.
    • Then select Organize Bootmarks.
    • Then on the next window click File and then select Export. Save the bookmarks.html file to your Desktop for later use in importing.

    Now download and save the installer for the current version of FireFox but DO NOT install it yet. Get it here: Mozilla FireFox

    You will need to exit FireFox now and use Internet Explorer to continue with the below until we reinstall FireFox.

    Start by uninstalling FireFox and then reboot. Do not skip the reboot.
    After reboot, delete the below folders:

    C:\Documents and Settings\UserAccount\Local Settings\Application Data\Mozilla
    C:\Program Files\Mozilla Firefox

    where UserAccount is the actual user account name being used.

    Now reinstall FireFox from the file previously downloaded.
    Import your bookmarks file. (similar process to exporting).


    Is FireFox working okay now or is it still redirecting?
     
  17. hedvix

    hedvix Private E-2

    Followed the procedure as instructed, unfortunately, I am still being redirected to that website.

    With the new firefox, instead of me getting a blank white page (using the host file to block), I am instead getting an error connection page.
     
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Big sigh... You have been working across multiple forums. Very much frowned upon because now there are two of us on the toil to try and fix you up. It's a waste of resources. Who do you wish to work alongside, me or LDTate who probably is not aware that you have a thread here already. ? (I presume you want to stick to us as you have not posted at the other forum since 16th) You need to let them know though that they can close that thread if you're sticking here.
     
  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    C:\Documents and Settings\Owner\Local Settings\Application Data\blekkotb <----- Is this folder empty?? Have you ever installed something called blekko toolbar?
     
  20. hedvix

    hedvix Private E-2

    Oh yes, I apologize about that LTD, I didn't really check back to them. I will let them know. Sorry for the inconvenience.

    The blekkotb folder is empty and have been deleted
     
  21. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Back up your firefox bookmarks again. Uninstall Firefox as previously instructed, but now do NOT reinstall it yet!!!!! Instead do this:

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.


    Is Internet Explorer okay?? Does that redirect? (Do not reinstall Firefox until I say)
     
  22. hedvix

    hedvix Private E-2

    Firefox is now uninstalled. I'm currently using Google Chrome, and to clarify that the infection doesn't occur when I'm using Google Chrome.

    Here are the MGlOgs
     

    Attached Files:

  23. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    What about IE?
     
  24. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    We also did not do this properly before. (My Fault)



    [​IMG] For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)
     
  25. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    When you have finished that do this:

    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    • cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    • ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.
    Now look for the C:\MGlogs.zip file and attach it no matter what happened while doing the above.
     
  26. hedvix

    hedvix Private E-2

    Hi I am actually having a hardtime to follow the procedure you've posted.

    Is System Recovery Console and System Recovery Options the same thing?

    I tried both Advance Boot and Window Installation Disk and I never got into the stage where I can select "Repair Your Computer" (I am on window XP)

    On Advance Boot:
    I pressed f8 until I get options like: boot in safe mode, etc... I didn't see any options saying "Repair your computer", again the closest thing I saw was "System Recovery Console"
    When I choose that... and have everything loaded. the next thing it says is to choose window installation to repair... I press 1
    The next thing I see is: C:\WINDOW
    note: It didn't ask me for my administrator password even though I use password to logon to my computer
    Using the Window Installation CD also lead to the same thing... So I am very confuse

    My experience can be best described as shown here:
    http://www.windowsnetworking.com/articles_tutorials/wxprcons.html

    And regard about IE... I don't use IE at all, or I don't seem to be able to use it... It crashes whenever I open it. I'm pretty sure I've removed IE
     
  27. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    My bad (I apologise) Please just continue on with instructions in post # 25. :)
     
  28. hedvix

    hedvix Private E-2

    Did what you asked me.
    There was no error that came up during the scanning. Although I wasn't sure if the scan has finished or not. It just kinda of stall without saying any message. I assumed it was finished since it opened the .txt file on notepad.

    I've attached both MGlogs and the shownew.txt
     

    Attached Files:

  29. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    What is inside of this folder?
    C:\Documents and Settings\Owner\Application Data\Ohowo

    Delete these folders.
    C:\Documents and Settings\Owner\Local Settings\Application Data\blekkotb
    C:\Documents and Settings\Owner\Local Settings\Application Data\Conduit

    Run ccleaner.

    I am seeking advice from colleagues about this as I am practically stumped.
     
  30. hedvix

    hedvix Private E-2

    Hello
    Deleted those folders you asked me to, and cleaned with CC cleaner
    Inside :C:\Documents and Settings\Owner\Application Data\Ohowo
    Theres a file called "veybyqe.upo" - 12kb
    created: Tuesday 16th March 2010, Modified 30january 2012

    Do you want me to reinstall firefox and test again whether or not I am still being redirected?
     
  31. hedvix

    hedvix Private E-2

    Since I am unable to edit my last entry.
    Just would like to add that I just experienced my first redirection while using Goggle Chrome.
    As usual, my "host" file is blocking it, resulting just error page being displayed, or failure of connection towards a particular website.
    I'm sorry if you're having a hardtime in pinpointing the source of the infection. i wish I can inform you more :(

    Do you think I should stop using the "host" file to block, if it would make it easier to detect if it activated? I've been clearing my cache every time I get redirected.
     
  32. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes, delete it, the whole folder.
    You can if you wish yes.
    Yes, stop doing that for now and let's see what gives.
     
  33. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Find out if you still get redirection in Firefox and Chrome if you are using "Safe mode with networking"
     
  34. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    After you have answered my above question please try this:

    Yorkyt.exe Disinfection Tool 0.0.0.220


    Follow these simple instructions:

    1: Download the yorkyt.exe disinfection tool.
    2: Save the file to your hard disk; to the Windows Desktop, for example.
    3: Double click the yorkyt.exe file.
    4: A reboot will be requested to install a driver.
    5: Another reboot will be requested to complete the disinfection.
    6: When the disinfection is completed, accept the message that will be displayed.
    7: In order to ensure a full cleanup, run a scan of your PC with the antivirus installed.
     
  35. hedvix

    hedvix Private E-2

    Hi Kerstel,

    I really appreciate the time you and your colleague have put into helping me. I did some testing around and did what you've asked me which is reinstall Firefox and deleted the entry of partner37.mydomainadvisor.com from the host file. As expected. The redirection would come back right away.

    I also have pinpoint the website that would trigger the redirection (it's one of the website I visit on daily basis). I did suspect if it is actually the website that is infected, but I've tested it on another computer on the same network, only this computer are currently experiencing the redirection.

    I've uploaded what the redirect page looked like. Not sure if this is what you call a google redirect (or yahoo maybe?)

    If you look at the screenshot, on the address bar there are few things which is farmiliar that you have mentioned which is "blekkotb", as far as I remmeber, I don't remmeber ever installing Blekko toolbar like you've asked.. But I might be wrong.

    2nd is the antiphshing_dn&q.... When I open my Window Task Manager. I have a process called "visicom_antiphshing.exe", located in C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor (gosh sounds farmiliar much?)

    I did suspect that this might be the source of infection. When I go an visit the folder. There are tags saying that this is Powered by Panda Security. I did some google search of who they are.. They seem legit? That is why i didn't think of it much.

    When I kill the process visicom_antiphshing.exe... the redirection stoppeddd... (about halfway again).... Yup... I no longer get redirected to partner37.mydomainadvisor.. but instead I just receive the 404 error page cannot be displayed (same as to when I use the host file), if not that, it would sort of half-display a page.. like without CSS with very messy layout.

    I also started on safe mode with networking. The redirection still happens (as mention above) with 404 page cannot be displayed, etc, since visicom_antiphshing.exe is not running in this mode.

    Currently I have not yet deleted the folder. I'm just letting you know of my find and will delete it if you instruct me to. My hunch says that this might be one of the source of infection. The date of creations says 22/12/2011, while I only started experiencing the redirection recently

    Inside the folder:
    guid.dat
    uninstall.exe <--- very suspicious...
    visicom_antiphshing.dll
    visicom>antiphshing.exe

    I apologize if I wasn't meant to attach stuff such as JPEG in this forum. But I just want to be as much help as possible
     

    Attached Files:

  36. hedvix

    hedvix Private E-2

    Did the Yorkyt scan. The results are attached below. Not sure if this is the correct attachment since this one appears when it first installs.
     

    Attached Files:

  37. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Good evening. :)

    You do not have anything Panda related installed so we will do away with the folder and it's contents.

    Teatimer needs to be disabled! It could interfere with our fixes.

    Please disable Spybot's TeaTimer.


    How to disable Spybot's TeaTimer


    Now we need to use ComboFix by sUBs

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    Folder::
    C:\Documents and Settings\Owner\Local Settings\Application Data\blekkotb
    C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "Anti-phishing Domain Advisor"=-
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
  38. hedvix

    hedvix Private E-2

    When i was about to run combofix by dragging the CFscript.txt, I got a screen saying that combofix has expired and ask whether or not I should run it with reduced functionality...

    Should I run it? Or download a new combofix? If I download a new one, do i need to uninstall current combofix?

    Just taking precaution since I've heard that combofix can wreck your computer entirely if not careful.
     
  39. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Download the new, let it overwrite the old copy, yes indeed.
     
  40. hedvix

    hedvix Private E-2

    combofix and MGlogs are attached below.

    As confirmation, after running combofix, my host file did get emptied. I used my backup one but this time, but I ensure to leave out the entry of "partner37.mydomainadvisor". Visicom_antiphshing.exe is no longer running under processes... It's not listed as startup in msconfig as well.

    But, the redirection sympthoms is still there.. I am not getting redirected, but receiving the page cannot be displayed 404 as described before.
    Still triggers from the same website, and the next page that I visit will ultimately get affected.

    Seems there is something inside my computer still :(
    note: I turned on teatimer again before browsing
     

    Attached Files:

  41. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    We need to run an OTL Fix

    • Right-click OTL.exe And select " Run as administrator " to run it. If Windows UAC prompts you, please allow it.
    • Copy and Paste the following code into the textbox. Do not include the word Code
    Code:
    Code:
    :otl
    :Services
    Pcisene
    VBoxNetAdp
    VBoxNetFlt
    :Files
    c:\windows\system32\DBBK
    ipconfig /flushdns /c
    :Commands
    [resethosts]
    [Reboot]
    
    • Then click the Run Fix button at the top.
    • Click Image.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. ATTACH that report in your next reply.


    Any change?
     
  42. hedvix

    hedvix Private E-2

    OK I followed your instruction, although something is a bit different that what you describe.
    After I click "Run Fix" after pasting the code, it took around 5-10seconds before it ask me to reboot the computer
    there was no "click image" that you mentioned

    Once computer is reboot, there was no notepad that appear.
    I did however attach something that I found in C:\_OTL\MovedFiles
    that seems to be some kind of a logfile that was created on the time of the scan. I've attached it below.

    Unfortunately, the symptoms is still there on Firefox and triggers quite easily.
    Meanwhile I've been experimenting on Google Chrome, when I had the 404 error, google chrome instructed me to uncheck a settings called "Predict Network actions to improve page load performance" on Under the bonnet section.

    Ever since that is unchecked, I can't seem to trigger the infection/redirection while I am on google chrome. Not sure why... Firefox seems to trigger quiet easily on the other hand.

    note: host file was again emptied after reboot, I used my backup again
     

    Attached Files:

  43. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I am so sorry that I have not nailed this for you. I have asked my colleagues to look into this when they get chance. Hang in there. :)
     
  44. hedvix

    hedvix Private E-2

    Please do not be sorry. You have done plenty enough, I sincerely appreciate your effort. While this infection is not fix entirely, the tools you've asked me to use have managed to pickup other hidden malware on my computer.

    For now, I'll try to visit that website using Google Chrome, that way I can continue to test whether or not the infection/rediretion really doesn't trigger on Chrome. :)
     
  45. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Rest assured, we will get to the bottom of this with the help of the others. ;)
     
  46. thisisu

    thisisu Malware Consultant

    Hello hedvix,

    I will be assisting you while my good colleague takes a break.

    __

    [​IMG] From Add/Remove Programs (via Control Panel), please uninstall the below:
    • AVG 2012
    • AVG PC Tuneup 2011
    • Java(TM) SE Development Kit 6 Update 24
    • Softonic_English Toolbar
    • Spybot - Search & Destroy
    • TuneUp Companion 2.2.3
    • XP Codec Pack
    Do not reinstall any of these until we are finished with malware removal!!

    [​IMG] Please download Disable/Remove Windows Messenger to your desktop.
    • Double-click MessengerDisable.exe to run it.
    • Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
    • Click Apply
    • Click Exit


    [​IMG] Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    [COLOR="DarkRed"]:processes[/COLOR]
    killallprocesses
    [COLOR="DarkRed"]:otl[/COLOR]
    SRV - (Pcisene) --  File not found
    SRV - (HidServ) -- %SystemRoot%\System32\hidserv.dll File not found
    SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found
    SRV - (AVGIDSAgent) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
    SRV - (avgwd) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
    DRV - (xpsec) --  File not found
    DRV - (XDva351) -- C:\WINDOWS\system32\XDva351.sys File not found
    DRV - (XDva346) -- C:\WINDOWS\system32\XDva346.sys File not found
    DRV - (XDva337) -- C:\WINDOWS\system32\XDva337.sys File not found
    DRV - (XDva323) -- C:\WINDOWS\system32\XDva323.sys File not found
    DRV - (XDva310) -- C:\WINDOWS\system32\XDva310.sys File not found
    DRV - (XDva300) -- C:\WINDOWS\system32\XDva300.sys File not found
    DRV - (XDva281) -- C:\WINDOWS\system32\XDva281.sys File not found
    DRV - (XDva280) -- C:\WINDOWS\system32\XDva280.sys File not found
    DRV - (XDva275) -- C:\WINDOWS\system32\XDva275.sys File not found
    DRV - (XDva262) -- C:\WINDOWS\system32\XDva262.sys File not found
    DRV - (WDICA) --  File not found
    DRV - (VBoxNetFlt) --  File not found
    DRV - (pfc) --  File not found
    DRV - (PDRFRAME) --  File not found
    DRV - (PDRELI) --  File not found
    DRV - (PDFRAME) --  File not found
    DRV - (PDCOMP) --  File not found
    DRV - (PCIDump) --  File not found
    DRV - (lbrtfdc) --  File not found
    DRV - (i2omgmt) --  File not found
    DRV - (EagleXNt) -- C:\WINDOWS\system32\drivers\EagleXNt.sys File not found
    DRV - (DS1410D) -- C:\WINDOWS\system32\drivers\ds1410d.sys File not found
    DRV - (Changer) --  File not found
    DRV - (catchme) -- C:\ComboFix\catchme.sys File not found
    DRV - (Avgldx86) -- C:\WINDOWS\system32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
    DRV - (AVGIDSShim) -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys (AVG Technologies CZ, s.r.o. )
    DRV - (Avgrkx86) -- C:\WINDOWS\system32\drivers\avgrkx86.sys (AVG Technologies CZ, s.r.o.)
    DRV - (Avgmfx86) -- C:\WINDOWS\system32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
    DRV - (Avgtdix) -- C:\WINDOWS\system32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
    DRV - (AVGIDSFilter) -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys (AVG Technologies CZ, s.r.o. )
    DRV - (AVGIDSEH) -- C:\WINDOWS\system32\drivers\AVGIDSEH.sys (AVG Technologies CZ, s.r.o. )
    DRV - (AVGIDSDriver) -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys (AVG Technologies CZ, s.r.o. )
    DRV - (sptd) -- C:\WINDOWS\system32\drivers\sptd.sys (Duplex Secure Ltd.)
    IE - HKCU\..\URLSearchHook: {930f1200-f5f1-4870-bac6-e233ec8e7023} - C:\Program Files\Softonic_English\prxtbSof0.dll (Conduit Ltd.)
    IE - HKCU\..\SearchScopes,DefaultScope = {3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
    IE - HKCU\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://blekko.com/?source=c3348dd4&tbp=rbox&q={searchTerms}
    IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={40314450-518B-4E50-9AE0-54D40216E79D}&mid=e12acdd4c9931a32b26f81998d0b5d48-764a48fdf63c851beeb7a26319778d2eee14c6bb&lang=en&ds=AVG&pr=pr&d=2011-10-23 13:46:07&v=8.0.0.34&sap=dsp&q={searchTerms}
    IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1142338
    FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
    FF - prefs.js..browser.search.selectedEngine: "AVG Secure Search"
    FF - prefs.js..keyword.URL: "http://isearch.avg.com/search?cid=%7Bfbe559bc-c9c8-4a73-81a1-ae907b6f9cdd%7D&mid=e12acdd4c9931a32b26f81998d0b5d48-764a48fdf63c851beeb7a26319778d2eee14c6bb&ds=AVG&v=8.0.0.34.1&lang=en&pr=pr&d=2011-10-23%2013%3A46%3A07&sap=ku&q="
    [2011/12/17 07:14:50 | 000,002,067 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\blekkotb.xml
    CHR - default_search_provider: Blekko (Enabled)
    CHR - default_search_provider: search_url = http://blekko.com/?source=c3348dd4&tbp=rbox&q={searchTerms}
    CHR - plugin: AVG Internet Security (Enabled) = C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\plugins/avgnpss.dll
    CHR - Extension: AVG Safe Search = C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\
    O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
    O2 - BHO: (Softonic English Toolbar) - {930f1200-f5f1-4870-bac6-e233ec8e7023} - C:\Program Files\Softonic_English\prxtbSof0.dll (Conduit Ltd.)
    O3 - HKLM\..\Toolbar: (Softonic English Toolbar) - {930f1200-f5f1-4870-bac6-e233ec8e7023} - C:\Program Files\Softonic_English\prxtbSof0.dll (Conduit Ltd.)
    O3 - HKLM\..\Toolbar: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll ()
    O3 - HKCU\..\Toolbar\WebBrowser: (Softonic English Toolbar) - {930F1200-F5F1-4870-BAC6-E233EC8E7023} - C:\Program Files\Softonic_English\prxtbSof0.dll (Conduit Ltd.)
    O3 - HKCU\..\Toolbar\WebBrowser: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll ()
    [2012/04/17 19:31:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor
    [2012/01/30 05:38:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG
    [2011/10/23 13:03:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
    [2010/10/15 13:02:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
    [2012/01/24 02:49:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AVG
    [2011/10/23 12:44:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AVG2012
    [2011/08/13 11:51:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\DAEMON Tools Pro
    [2012/01/30 02:48:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Ohowo
    [2011/05/05 22:28:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Uniblue
    @Alternate Data Stream - 217 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
    @Alternate Data Stream - 1151 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:2DGMKjppKehFQZUjIyYNnzSCOPH
    @Alternate Data Stream - 1062 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:9oM4VZYekpk4yK50GXIcMzXE0JMiW
    [COLOR="DarkRed"]:files[/COLOR]
    C:\Program Files\AVG /d
    C:\Program Files\Spybot - Search & Destroy /d
    C:\WINDOWS\System32\drivers\AVG /d
    c:\documents and settings\Owner\Local Settings\Application Data\blekkotb /d
    dir "c:\program files\THQ" /c
    C:\Documents and Settings\Owner\Local Settings\Application Data\Softonic_English /d
    [COLOR="DarkRed"]:reg[/COLOR]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
    "BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
    "{1E73965B-8B48-48be-9C8D-68B920ABC1C4}"=-
    [COLOR="DarkRed"]:commands[/COLOR]
    [purity]
    [emptyjava]
    [emptyflash]
    [resethosts]
    
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)

    [​IMG] Now run C:\MGtools\GetLogs.bat by double-clicking it.
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)
     
  47. hedvix

    hedvix Private E-2

    Hi, Nice to work with you.

    Did what you asked and uninstalled everything.
    OTL crashed in the middle of the scan. I seem to recall about "file not found" looking at the OTL window at the very bottom line, Don't remmeber to be exact. I had to use ctrl+alt+del to reboot my comp
    I checked the OTL_ folder there's a folder named "04222012_145020", which matches the time I ran the scan, but there was no logs present.

    Should I run it again?

    I attached the MGLOGS just in case you need it.
    I haven't checked for the redirection yet, since I feel a bit uncomfortable browsing the net without any antivirus installed.
     

    Attached Files:

  48. thisisu

    thisisu Malware Consultant

    Last edited: Apr 22, 2012
  49. hedvix

    hedvix Private E-2

    Ran smoothly this time around.
    Logs are attached below.
     

    Attached Files:

  50. thisisu

    thisisu Malware Consultant

    Test to see if the redirection is still occurring or not and let me know.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds