Fake Antivirus, Redirects, and Bluescreens...

December 7, 2011 at 15:29:12
Specs: Windows 7
We're having some huge problems with this computer lately. At first, it was "Win 7 Antispyware 2012." Followed the steps on bleepingcomputer.com and it resolved that issue. Then, the computer BSOD'd:

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7600.2.0.0.256.48
Locale ID: 1033

Additional information about the problem:
BCCode: a
BCP1: AD1E7270
BCP2: 00000002
BCP3: 00000000
BCP4: 8306D3E4
OS Version: 6_1_7600
Service Pack: 0_0
Product: 256_1

Files that help describe the problem:
C:\Windows\Minidump\120711-29515-01.dmp
C:\Users\Administrator\AppData\Local\Temp\WER-63133-0.sysdata.xml

Read our privacy statement online:
http://go.microsoft.com/fwlink/?lin...

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt

It hasn't happened in a while, but now it seems that going to webpages sometimes redirects through these ip's:
83.133.124.21
109.206.181.125
78.140.161.61
83.133.127.85 and more.

Anyone care to help?


See More: Fake Antivirus, Redirects, and Bluescreens...

Report •

#1
December 7, 2011 at 20:14:56
"Anyone care to help?"

Please upload to a site of your choice a screenshot of your Disk Management.

Depending how your comp is setup, mine is Control Panel > Administrative Tools > Computer Management > Disk Management.


Report •

#2
December 8, 2011 at 09:50:26

Report •

#3
December 8, 2011 at 10:26:34
Thanks for the screenshot shane.p, did you do all these steps?

http://www.bleepingcomputer.com/vir...


Report •

Related Solutions

#4
December 8, 2011 at 14:33:38
Yes, sir.

Report •

#5
December 8, 2011 at 14:43:49
Ok, can I see the logs for those 3 programs please.

Report •

#6
December 8, 2011 at 14:51:04
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8329

Windows 6.1.7600 (Safe Mode)
Internet Explorer 9.0.8112.16421

12/7/2011 2:03:01 PM
mbam-log-2011-12-07 (14-03-01).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 466812
Time elapsed: 29 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\5689 (Heuristics.Shuriken) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MozillaAgent (Trojan.Agent) -> Value: MozillaAgent -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Administrator\AppData\Local\sqc.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Administrator\AppData\Local\sqc.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Administrator\AppData\Local\sqc.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Temp\_ex-68.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\5689.sys (Heuristics.Shuriken) -> Quarantined and deleted successfully.
c:\Users\administrator\AppData\Local\mja.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
c:\Users\administrator\AppData\Local\sqc.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\_ex-08.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Temp\toesxl\setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Not sure where the other logs are.


Report •

#7
December 8, 2011 at 15:03:56

Report •

#8
December 8, 2011 at 15:17:44
Thanks for the links. Will be doing this when I get in tomorrow.

I'm curious why it's redirecting me to legitimate sites like dailyfinance? What is the point of that?


Report •

#9
December 8, 2011 at 15:29:36
"I'm curious why it's redirecting me to legitimate sites like dailyfinance? What is the point of that?"
No idea.

Report •

Ask Question