not sure what this could be...

Discussion in 'Malware Help (A Specialist Will Reply)' started by shiato storm, Oct 3, 2008.

  1. shiato storm

    shiato storm Private E-2

    Hi, got sent here on advice after asking around so really hoping someone can help. The problem manifests itself in such a way that when I perform a search via google, yahoo etc. all the results retrieved are to shopping sites or the sort that no one would ever actually bother to go to such as 'findstuff.com' or 'best-deals.com'. I tried in Firefox and IE and it happens in both. FF just simply shuts down - without warning - when attepmting to access sites I normally would, my own site even (most irritating! I noticed also in the address bar during this the IP 78.157.142.58 coming up so something is causing a re-direct.
    No 'offline' programs I use daily such as photoshop etc are affected.
    I have gone through the 'cleaning programs' as advised, as well as AVG I have on here, and followed the most helpful guide (hats off to those who put it all together) and as far as I can tell they come up clear but have attached them as per guide.
     

    Attached Files:

    shiato storm, Oct 3, 2008
    #1
  2. shiato storm

    shiato storm Private E-2

    and the 4th attachment :)
    any help appreciated
     

    Attached Files:

    • log.txt
      File size:
      12 KB
      Views:
      5
    shiato storm, Oct 3, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Your logs are actually coming up clean other then the below files of which I'm unsure what they are
    Code:
    "C:\WINDOWS\temp\"
1f512b~1.tmp   3 Oct 2008       41246  "1f512bfe-521e-4126-8732-7abb9850aeb5.tmp"
2c53ac~1.tmp   3 Oct 2008    13467648  "2c53ace6-5ac3-4d30-91a6-6df4b798e8cd.tmp"
91a33f~1.tmp   3 Oct 2008      391155  "91a33fa8-a144-43e1-8144-84dc7dcdb330.tmp"
    Can you delete these files? If so, do they or similar ones come back. Do they come back after a reboot.

    When did this problem begin?
    Does it also happen in safe boot mode.

    Please run this Running GMER to detect rootkits and attach the requested log.

    I also suggest that you add the 78.157.142.58 IP address to your Restricted Zone in Internet Explorer and also add I line for it to your hosts file. This IP Address is registred as the below. Does anything there look familiar
    Code:
    inetnum:        [URL="http://cqcounter.com/whois/index.php?query=78.157.142.0"]78.157.142.0[/URL] - [URL="http://cqcounter.com/whois/index.php?query=78.157.142.255"]78.157.142.255[/URL]
netname:        VDHOST
descr:          VdHost Ltd.
descr:          [email]abuse@vdhost.info[/email]
country:        LV
admin-c:        AV2990-RIPE
tech-c:         UNHM-RIPE
status:         ASSIGNED PA
mnt-by:         UN-MNT
source:         RIPE # Filtered

role:           UltraNet Hostmaster
address:        UltraNet SIA
                Aizkraukles 23
                Riga, LV-1006
                Latvia
phone:          +371 67543003
fax-no:         +371 67594435
e-mail:         hostmaster@[URL="http://cqcounter.com/whois/index.php?query=ultranet.lv"]ultranet.lv[/URL]
admin-c:        AS28817-RIPE
admin-c:        MS16883-RIPE
tech-c:         AS28817-RIPE
nic-hdl:        UNHM-RIPE
mnt-by:         UN-MNT
source:         RIPE # Filtered

person:         Arturs Vavilovs
address:        Riga
phone:          +371 29653077
e-mail:         [email]admin@vdhost.info[/email]
nic-hdl:        AV2990-RIPE
mnt-by:         UN-MNT
source:         RIPE # Filtered

% Information related to '78.157.128.0/19AS35057'

route:          78.157.128.0/19
descr:          SIA ULTRANET
origin:         AS35057
mnt-by:         UN-MNT
source:         RIPE # Filtered
     
    chaslang, Oct 5, 2008
    #3
  4. shiato storm

    shiato storm Private E-2

    Hi, thanks very much for getting back to me about this. I've checked the temp folder - those files aren't there! had a look and they're just not there. I suspect I deleted them as I went through things the other night, they haven't reoccured (in fact the folder is empty).
    The problem began Wednesday/Thursday last with firefox repeatedly crashing, once or twice I got an error message saying 'cannot write to memory [string of numbers] closing program', although no abnormal activity/heavy load going on at the time, then google searches kept getting redirected to the IP in earlier post, the details of which aren't familiar at all, nothing I know or any site I would want to visit is in latvia which would indicate malicious activity...
    I have attached the GMER log for inspection

    thanks again!
     

    Attached Files:

    shiato storm, Oct 6, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The GMER log is also clean. I will give you to more scans to run at the end of this message.

    Have you added that IP address to your Restricted Zone. Also add those URLs to your Restricted Zone. In addition, you should try adding the below to your C:\windows\system32\drivers\etc\hosts file

    127.0.0.1 findstuff.com
    127.0.0.1 best-deals.com
    127.0.0.1 78.157.142.58

    After adding the above to your hosts file and also adding those URLs and IP to your Restricted Zone you should reboot to see if there is an change.

    What is the below and why is allow access thru your firewall?
    "D:\\Programs\\Games\\UT2004\\System\\UT2004.exe"=

    Did you ever have a program called GameVance installed?


    Now go here and download SysClean:

    http://www.trendmicro.com/download/dcs.asp

    You will need to download two additional files, one for viruses and the other for spyware. Instructions for which ones to download are found here:

    http://www.trendmicro.com/ftp/products/tsc/readme.txt

    After running SysClean, attach the log from it.


    Now let's run another rootkit scanner. Run the below procedure and attach the requested log:

    Using Sophos Anti-Rootkit
     
    chaslang, Oct 8, 2008
    #5
  6. shiato storm

    shiato storm Private E-2

    Hi, I've checked and added to the host file as suggested. 'UT2004' is a video game (unreal tournament 2004) not played in quite a while but you can go against others via online play, hence firewall de-restriction. and I have never heard of 'GameVance' ...so nope, never installed it :)
    sysclean log attached, sophos a.r.k log attached (ran it twice in error but both times said it found nothing)
    many thanks
     

    Attached Files:

    shiato storm, Oct 8, 2008
    #6
  7. shiato storm

    shiato storm Private E-2

    p.s. just noticed its your birthday, all the best! :)
     
    shiato storm, Oct 8, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well there is nothing showing up in any of your logs. This appears to be some kind of new problem. We have a second similar thread with the same kind of problem. See this thread: http://forums.majorgeeks.com/showthread.php?t=170612

    You can try using Opera as a browser like in that thread which appears to run clean. Also other user accounts appeared to be okay so you can test that on your PC.

    We have no know fix at this time. It may be something that has been added into your registry that is affecting both FF and IE. You could try using system restore to go back to a restore point before this began or you could try just creating a new user account. If the new account is okay, you may want to use it instead. The only other alternative would be a reinstall.

    Thanks for the birthday wish!
     
    chaslang, Oct 11, 2008
    #8
  9. shiato storm

    shiato storm Private E-2

    ok, cheers for all your help. seems like its a weird thing thats just not being caught by anything cuurently available, even deep scans... even tried a backed up registry i have from before the problems occurred and still no help. so probably a wipe and reinstall might be the only solution after all...
    thankfully i keep everything important backed up (photos etc) and they seem unaffected. I keep my programs on a separate partition to the OS, is there anything available that I can use that means I don't have to reintall all of the programs (and their settings etc!) as well or is it start from scratch time?
     
    shiato storm, Oct 11, 2008
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    But did you try performing a full System Restore to a point before the problem began?
     
    chaslang, Oct 12, 2008
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds