www.windowslivetechsupport.com virus popup

November 12, 2011 at 16:26:45
Specs: Windows XP, 3 gig/ 3gig ram
Hello;
Recently I've been getting a window opening from "www.www.windowslivetechsupport.com " with a blue screen claiming I have a virus and I need to click on the link to remove it. by placing my cursor(without clicking of course)I can see that the link goes to "dopesmokingdonkeys.com/base2.php"
How do I prevent this window from appearing?
I've done a full scan with Antimalaware, as well as Superantispyware, but the window still pops up.
Any help would be appreciated.
Thank-you

See More: www.windowslivetechsupport.com virus popup

Report •


#1
November 12, 2011 at 20:17:32
hemi43,

Sounds like some fake malware...

Please download RogueKiller
http://tigzy.geekstogo.com/Tools/Ro...

Save the file to your Desktop.

Now, close all open windows and browsers.

XP users, double-click the file to run it.

When prompted, type 1 (Scan) and hit Enter.

An 'RKreport.txt' appears on your Desktop.

Please post the contents of the RKreport.txt in your reply.

We will take further action based on the results of this report.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#2
November 12, 2011 at 21:52:28
RogueKiller V6.1.7 [11/05/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/file...
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: User [Admin rights]
Mode: Scan -- Date : 11/13/2011 00:50:46

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 58 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : Facebook Update ("C:\Documents and Settings\User\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver) -> FOUND
[SUSP PATH] HKCU\[...]\Run : Akamai NetSession Interface (C:\Documents and Settings\User\Local Settings\Application Data\Akamai\netsession_win.exe) -> FOUND
[SUSP PATH] HKUS\.DEFAULT[...]\Run : Windows Update (C:\WINDOWS\system32\config\systemprofile\Application Data\q0enev4828\rplh.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-448539723-1682526488-839522115-1003[...]\Run : Facebook Update ("C:\Documents and Settings\User\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-448539723-1682526488-839522115-1003[...]\Run : Akamai NetSession Interface (C:\Documents and Settings\User\Local Settings\Application Data\Akamai\netsession_win.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-18[...]\Run : Windows Update (C:\WINDOWS\system32\config\systemprofile\Application Data\q0enev4828\rplh.exe) -> FOUND
[SUSP PATH] At17.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At16.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At15.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At14.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At13.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At12.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At11.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At10.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At1.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At26.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] At25.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] At24.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At23.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At22.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At21.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At20.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At2.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At19.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At18.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At35.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] At34.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] At33.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] At32.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] At31.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] At30.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] At3.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At29.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] At28.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] At27.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] At44.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] At43.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] At42.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] At41.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] At40.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] At4.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At39.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] At38.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] At37.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] At36.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] FacebookUpdateTaskUserS-1-5-21-448539723-1682526488-839522115-1003Core.job : C:\Documents and Settings\User\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe -> FOUND
[SUSP PATH] At9.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At8.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At7.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At6.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At5.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> FOUND
[SUSP PATH] At48.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] At47.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] At46.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] At45.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> FOUND
[SUSP PATH] FacebookUpdateTaskUserS-1-5-21-448539723-1682526488-839522115-1003UA.job : C:\Documents and Settings\User\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe -> FOUND
[SUSP PATH] HP SimpleSave Monitor.lnk : C:\Documents and Settings\User\Application Data\HP SimpleSave Application\StartHelper.exe -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤
SSDT[263] : NtUnloadKey @ 0x80655A96 -> HOOKED (\??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys @ 0xB2A396D0)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤


Finished : << RKreport[1].txt >>
RKreport[1].txt


Report •

#3
November 13, 2011 at 19:40:09
FYI;
when I click on a google link, my link opens and another separate window opens with the "popup" window I mentioned. I just close it, and the computer runs fine. This happens about 8-10 times a days and is more of an inconvenience than anything else.

Also, when I run "Rkill", it shuts off this process.

C:\Documents and Settings\User\Local Settings\Application Data\Akamai\netsession_win.exe

I have no idea what it could be.
Dan


Report •

Related Solutions

#4
November 13, 2011 at 20:16:03
Please do the following...

•Close all open windows and browsers
•XP: Double-click RogueKiller icon to run the program
•When prompted, type 2 (DELETE), and then press Enter
•An' RKreport.txt' opens on your Desktop.
Please copy/paste the new RKreport.txt in your reply.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#5
November 14, 2011 at 07:03:49
RogueKiller V6.1.7 [11/05/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/file...
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: User [Admin rights]
Mode: Remove -- Date : 11/14/2011 10:02:51

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 55 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : Facebook Update ("C:\Documents and Settings\User\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver) -> DELETED
[SUSP PATH] HKCU\[...]\Run : Akamai NetSession Interface (C:\Documents and Settings\User\Local Settings\Application Data\Akamai\netsession_win.exe) -> DELETED
[SUSP PATH] HKUS\.DEFAULT[...]\Run : Windows Update (C:\WINDOWS\system32\config\systemprofile\Application Data\q0enev4828\rplh.exe) -> DELETED
[SUSP PATH] At17.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At16.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At15.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At14.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At13.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At12.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At11.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At10.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At1.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At26.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] At25.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] At24.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At23.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At22.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At21.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At20.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At2.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At19.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At18.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At35.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] At34.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] At33.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] At32.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] At31.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] At30.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] At3.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At29.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] At28.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] At27.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] At44.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] At43.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] At42.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] At41.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] At40.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] At4.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At39.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] At38.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] At37.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] At36.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] FacebookUpdateTaskUserS-1-5-21-448539723-1682526488-839522115-1003Core.job : C:\Documents and Settings\User\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe -> DELETED
[SUSP PATH] At9.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At8.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At7.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At6.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At5.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe -> DELETED
[SUSP PATH] At48.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] At47.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] At46.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] At45.job : C:\Documents and Settings\All Users\Application Data\QMGUHnoG.exe_ -> DELETED
[SUSP PATH] FacebookUpdateTaskUserS-1-5-21-448539723-1682526488-839522115-1003UA.job : C:\Documents and Settings\User\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe -> DELETED
[SUSP PATH] HP SimpleSave Monitor.lnk : C:\Documents and Settings\User\Application Data\HP SimpleSave Application\StartHelper.exe -> DELETED
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED ()

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤
SSDT[263] : NtUnloadKey @ 0x80655A96 -> HOOKED (\??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys @ 0xB31156D0)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤


Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt


Report •

#6
November 14, 2011 at 07:23:02
Not 2 minutes after doing the above, I was redirected to a different site which AVG warned me was a virus.

Report •

#7
November 14, 2011 at 07:51:09
Let's press on...

Download ComboFix: http://download.bleepingcomputer.co...

Save ComboFix.exe to your Desktop!!

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications. They may interfere with the running of CF.
Information on disabling these programs is available here:
http://www.bleepingcomputer.com/for...


XP: Right-click on 'ComboFix.exe' to run the program.

When given the option, DO install the Recovery Console. This program can come in very handy if there is trouble.

Click on 'Yes', to continue scanning for malware.

When finished, CF produces a report.

Please provide a copy of the C:\ComboFix.txt in your reply by uploading it to Uploading.com:
http://uploading.com/files/upload/

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the ComboFix.txt report, and click on 'Open'
You will see the following:
“Your file has been uploaded successfully: (Name and size of the file)”

Please copy the 'Download link', and provide it in your reply.


Notes:

1. Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#8
November 14, 2011 at 14:54:21
OK, Done !!

http://uploading.com/files/7586867m...

The file is named "lognov14".

I did not get prompted to install " recovery console".

While it was scanning, I had 2 windows pop up stating that "rootkit.zero access" was installed. I had to close these windows during the scan.
Thanks, Dan


Report •

#9
November 14, 2011 at 18:49:32
If ZeroAccess is a possible player, let's do the following:

Please download of TDSSKiller:
http://support.kaspersky.com/downlo...

Execute the file:
XP: Double-click tdsskiller.exe to run the program

Press the button: Start Scan

The tool scans and detects two object types:
'Malicious' (where the malware has been identified)
'Suspicious' (where the malware cannot be identified)

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

It automatically selects an action ('Cure' or 'Delete') for 'Malicious' objects. Leave the setting as it is.

It also prompts the User to select an action to apply to 'Suspicious' objects ('Skip', by default). Leave the setting as it is.

After clicking 'Next/Continue', the tool applies the selected actions.

A Reboot Required prompt may appear after a disinfection. Please reboot.

By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system, normally C:\.

Logs have a name like:
C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please post the TDSSKiller log in your reply by uploading it also.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#10
November 14, 2011 at 19:03:09
I ran the TDSSKiler, but nothing was found and no log was created.
Dan

Report •

#11
November 14, 2011 at 19:12:13
Look for the log here:

C:\TDSSKiller.2.4.7_14.11.2011_20.31.43_log.txt

In C:\

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#12
November 14, 2011 at 19:36:44
ok !! I found it.

http://uploading.com/files/8b6c8df5...


Report •

#13
November 14, 2011 at 19:54:48
Please download aswMBR:
http://public.avast.com/~gmerek/asw...

Save it to the Desktop.

Double-click aswMBR.exe to start the tool.
Click']Scan'

Upon completion of the scan, click ‘Save log’ and save it to the Desktop,

Note - Do NOT attempt any fix anything!!.

Please post the aswMBR log in your reply.

Also, you will notice that another file is created on the Desktop.
It is named 'MBR.dat'

Please submit MBR.dat for analysis to VirusTotal:
http://www.virustotal.com/

Use the 'Browse' button to navigate to the location of the file.

Click on the file

Then, click the 'Open' button.
The file is now displayed in the 'Submit' Box.

Scroll down and click 'Send File', and wait for the results
If you get a message saying: 'File has already been analyzed', click 'Reanalyze file now'

Once scanned, please provide the link to the results page in your reply.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#14
November 14, 2011 at 20:29:47
Upon starting the program it asked me to download some type of antivirus tool, but I declined.
Here is the log file;

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-11-14 23:20:39
-----------------------------
23:20:39.828 OS Version: Windows 5.1.2600 Service Pack 3
23:20:39.828 Number of processors: 2 586 0x170A
23:20:39.828 ComputerName: KITCHEN UserName: User
23:20:42.312 Initialize success
23:21:34.312 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
23:21:34.312 Disk 0 Vendor: ST3500320AS SD15 Size: 476940MB BusType: 3
23:21:36.343 Disk 0 MBR read successfully
23:21:36.343 Disk 0 MBR scan
23:21:36.343 Disk 0 Windows XP default MBR code
23:21:36.343 Disk 0 scanning sectors +976768065
23:21:36.406 Disk 0 scanning C:\WINDOWS\system32\drivers
23:21:42.359 Service scanning
23:21:43.437 Modules scanning
23:21:46.578 Disk 0 trace - called modules:
23:21:46.593 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
23:21:46.593 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b045ab8]
23:21:46.593 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\00000070[0x8b0749e8]
23:21:46.593 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8b05d940]
23:21:46.593 Scan finished successfully
23:22:20.625 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\virus stuff\MBR.dat"
23:22:20.625 The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\virus stuff\aswMBR.txt"

Here is the URL of the results page;

http://www.virustotal.com/file-scan...



Report •

#15
November 16, 2011 at 16:39:48
I have had no more issues the past couple of days, so things seem to be working OK. Just wondering if there were any problems in the logs I posted.
Dan.

Report •

#16
November 16, 2011 at 19:21:00
hemi43,

My apology for the delay...

Actually, it is good to run the computer for a few days and see how it behaves after running malware removal programs. If you are not having any malware problems, that is a good sign.

I will look at your reports as soon as I can, and get back with you tomorrow. There may still be some entries taht we need to get rid of.

Thanks for your patience.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#17
November 17, 2011 at 11:48:02
Thank-you aaflac44 !! No apology needed, as I appreciate your help.
Computer seems to be back to normal.

Report •

#18
November 17, 2011 at 15:03:36
hemi43,

The ComboFix log showed some malicious entries, and we need to get rid of them.

Be sure to continue temporarily disabling your protective software.

Now, open Notepad (Start > Run, in the Open field type: notepad)
Click: OK

Copy/paste all the following text below to Notepad:

KillAll::
Folder::
c:\documents and settings\User\Application Data\oooobF44pm5sQ7E
c:\documents and settings\User\Application Data\aA00uvvS2o

Save as CFScript.txt

Change the 'Save as type' to: All Files (*.*)

Save it to the Desktop

(Both the ComboFix icon and the CFScript.txt must be on the Desktop.)

http://img.photobucket.com/albums/v...

Left click and drag the CFScript.txt file over to the ComboFix icon. Then, 'drop' it over CF.


This triggers ComboFix to run another scan where it carries out the commands of CFScript.

CF may reboot when it finishes. This is normal.

Do not mouse-click ComboFix while it is running, as iIt may cause a stall!

When finished, a log is produced: ComboFix.txt

Please upload the contents of the 'new ComboFix.txt' to the Uploading website:
http://uploading.com/files/upload/

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the ComboFix report, and click on 'Open'
You will see the following:
Your file has been uploaded successfully: (Name and size of the file)

Please copy the 'Download link', and provide it in your reply.


~~~~
Also, please submit the following file for analysis to VirusTotal:
http://www.virustotal.com/

c:\windows\system32\drivers\TrueSight.sys

Use the 'Browse' button to navigate to the location of the file.
Click on the file Then, click the 'Open' button.
The file is now displayed in the Submit Box.

Scroll down and click 'Send File', and wait for the results
If you get a message saying: 'File has already been analyzed', click 'Reanalyze file now'
Once scanned, please provide the link to the results page in your reply.

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#19
November 17, 2011 at 18:52:06
http://uploading.com/files/3b1cab57...


http://www.virustotal.com/file-scan...
I'm having problems with the above link !!


Report •

#20
November 18, 2011 at 14:06:27
The only way I could figure out how to post the results from "Virustotal" was to print screen and save in Word.
I've sent the 3 pages to www.uploading.com
BTW, I noticed that "rootkill" was highlighted in red

http://uploading.com/files/bb835fac...
http://uploading.com/files/12bb54c2...
http://uploading.com/files/6727c43a...


Report •

#21
November 18, 2011 at 14:38:22
Please check your Private Messages.

Thanks!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •


Ask Question