Avast! AV detected some potential malware on my wife's laptop running Vista Home Premium. It was trying to pop-up a window that was titled "My Computer Online Scan" and another browser with the title "67.215.238.17/redirectsoft/popup".
I got the current Malwarebytes downloaded on my computer, copied it to a flash drive, and installed on her laptop. The update did not work, but I ran the program anyway. Scan found 4 problems and resolved them. I rebooted, rescanned with nothing found, so I was hoping things were OK. I tried to do an update, but it failed. I tried to browse to www.malwarebytes.org, but the page could not be found. I can browse to the site with any other computer on my network, and they are all using the same DNS settings from my router. Pinging from the command line also fails. If I put in the IP address in to the browser manually, I can see parts of the page. I have looked at my HOSTS file, and it looks OK.
I have also ran Microsoft's MRT with nothing found. I just installed Vista SP2 via thumb drive also (it would not install from Windows Update).
This seems to be acting like a rootkit since it is affecting more than the browser. Any suggestions? I'm tempted to wipe and reinstall from the recovery partition.
Brent
Full Version: rootkit behavior?
Greetings and Welcome 
.
If you're having trouble getting Malwarebytes' and other tools to update or run please review the following tutorials and see if they are helpful:
If you aren't able to use those instructions or there are other issues then please follow the instructions here:
I'm infected - What do I do now?
And post your logs in a new topic here:
Malware Removal - HijackThis Logs
Please be sure not to install any software or use any removal or scanning tools except those that you are
instructed to by the expert who will be assisting you as doing so can make their job much more difficult.
note: if for some reason you are unable to run some or any of the tools in the first link, then skip that step and move on to the next one.
If you can't even run HijackThis, then just post here: Malware Removal - HijackThis Logs describing your issues and an expert will reply with further instructions.
I hope I was helpful. Good luck and safe surfing.
.If you're having trouble getting Malwarebytes' and other tools to update or run please review the following tutorials and see if they are helpful:
- Total-Security (FakeAlert)
- av360 (Fakealert)
- CLB Rootkit driver=TDSS/Seneka/GAOPDX/UAC/ovfst
- SystemSecurity
If you aren't able to use those instructions or there are other issues then please follow the instructions here:
I'm infected - What do I do now?
And post your logs in a new topic here:
Malware Removal - HijackThis Logs
Please be sure not to install any software or use any removal or scanning tools except those that you are
instructed to by the expert who will be assisting you as doing so can make their job much more difficult.
note: if for some reason you are unable to run some or any of the tools in the first link, then skip that step and move on to the next one.
If you can't even run HijackThis, then just post here: Malware Removal - HijackThis Logs describing your issues and an expert will reply with further instructions.
I hope I was helpful. Good luck and safe surfing.
The links provided really did not help, the issue was that there was a DNS redirector. Malwarebytes with database version 2551 could not remove it, but the dns redirector would prevent the program from updating.
What finally worked was booting into safe mode with networking. Then I was able to run the update. Once updated, the program with database 2691 was able to find the problem. I removed the files and the system seems to be running properly now. It would be nice if there was a way update the database from a different computer with a USB flash drive.
What finally worked was booting into safe mode with networking. Then I was able to run the update. Once updated, the program with database 2691 was able to find the problem. I removed the files and the system seems to be running properly now. It would be nice if there was a way update the database from a different computer with a USB flash drive.
Malwarebytes' Anti-Malware 1.40
Database version: 2691
Windows 6.0.6002 Service Pack 2 (Safe Mode)
8/24/2009 9:47:30 PM
mbam-log-2009-08-24 (21-47-25).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 267430
Time elapsed: 41 minute(s), 21 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ddnsfilter (Worm.KoobFace) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ddnsfilter (Worm.KoobFace) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ddnsfilter (Worm.KoobFace) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DnsFilter (Trojan.DNSChanger) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\ddnsfilter (Trojan.DNSChanger) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\DDnsFilter (Trojan.DNSChanger) -> No action taken.
Files Infected:
C:\Program Files\DDnsFilter\DDnsFilter.dll (Worm.KoobFace) -> No action taken.
C:\Windows\System32\drivers\DnsFilter.sys (Worm.KoobFace) -> No action taken.
C:\Windows\0535251103110107106.yux (KoobFace.Trace) -> No action taken.
Please post all information and logs in a new topic in Malware Removal - HijackThis Logs
QUOTE (Maniac @ Aug 25 2009, 08:23 AM) 
Please post all information and logs in a new topic in Malware Removal - HijackThis Logs
Maniac,
I'm not sure you read my post before replying... The problem is fixed, I will not be posting a new topic.
Thanks
bzomerlei there is a way to update the program using another computer and a flash drive..... it can be found
In This Topic
In This Topic
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.