Sign in to follow this  
Followers 0
Tag_

BHO: WormRadar.com IESiteBlocker.NavFilter

36 posts in this topic

I've got the nearly the same problem already described in another topic: "Virus Blocking Malwarebytes Installation and Operation, Restricts Access to AVG, Malwarebytes, System Restore":

- redirections to random websites

- when I relad the page it's OK

- hang up on "google-analytics..."

My antivirus: Avira.

My old antivirus: AVG (but seems to be infected ?)

I've downloaded HJT and Malwarebytes.

- MWB: I can download it without problem, I cannot install it without changing its name.exe, and with a random name it is working OK.

- HJT: download, install & running without changing its name were OK.

1st running of MWB => a few things detected and removed: Malware.Trace, Worm.Magania, Rootkit.Rustak; Rogue.AntivirusSuite. MWB cleaned them OK.

1st running of HJT => I found "BHO: WormRadar.com IESiteBlocker.NavFilter" entry and cleaned it. And a lot of other entries that I do nothing.

Now: running MWB with "mbam.exe" is still not working. This is why I still afraid something wrong is still on my computer.

I tried to do my best on my own, but it seems to be not enough. Could you help me, please ?

Share this post


Link to post
Share on other sites

I noted 3 process that should not be running (because AVG9 is normaly no more running):

avgchsvx, avgchsvx and avgrsx.

When I try to kill them, I can remove avgchsvx and avgchsvx, but avgrsx is still alive ?

Please find a log from HJT. Sure it will help !

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 02:10:25, on 05/10/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Appli\AVG9\avgchsvx.exe

C:\Appli\AVG9\avgrsx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Appli\Avira\AntiVir Desktop\sched.exe

C:\Appli\AVG9\avgcsrvx.exe

C:\Appli\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\UAService7.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Appli\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Appli\Firefox\firefox.exe

E:\Appli\Hercules\WiFiStation.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Appli\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirec...p;gc=1&q=%s

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll (file missing)

O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Appli\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [avgnt] "C:\Appli\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Appli\Adobe\Reader\Reader_sl.exe"

O4 - HKLM\..\RunServices: [bDYi] C:\DOCUME~1\admin\LOCALS~1\Temp\bDYi.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [TomTomHOME.exe] "E:\Appli\TomTom\TomTomHOMERunner.exe" -s

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE R

Share this post


Link to post
Share on other sites

:(

Go here and follow the instructions.

Post the results in a reply in this topic.

Share this post


Link to post
Share on other sites

Thanks.

1) DeFogger Disable + reboot OK, the log:

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 18:44 on 05/10/2010 (admin)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

Unable to read sptd.sys

SPTD -> Disabled (Service running -> reboot required)

-=E.O.F=-

2) DDS ran on my desktop... seems to be blocked ! Neither DDS.txt nor Attach.txt ??

I also tried to run it with cmd + dds.scr => nothing

I then tried to change its name and ran it again => nothing

Share this post


Link to post
Share on other sites

What about the log from GMER?

Can you please post the content of that log in your reply.

Also do this.

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, tick the box beside Scan All Users at the top.
  • Underneath Output at the top set it to Standard Output.
  • Underneath the option Extra Registry set it to Use SafeList.
  • Underneath the option File Scans tick the boxes beside Use Company Name WhiteList, Skip Microsoft Files, LOP Check, Purity Check.
  • Download the following file scan.txt to your Desktop. You may need to right click on it and select "Save"
  • Double click inside the Custom Scan box at the bottom
  • A window will appear saying "Click Ok to load a custom scan from a file or Cancel to cancel"
  • Click the Ok button and navigate to the file scan.txt which we just saved to your desktop
  • Select scan.txt and click Open. Writing will now appear under the Custom Scan box
  • Click the Run Scan button. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time.

Share this post


Link to post
Share on other sites

Please find attached the ark.txt.

+ MWB running again, and the results attached. (Yesterday there was no more infected elements. Now, 2 "infected elements" + I clic "remove").

And now I start OTS.exe and will post the results.

ark.txt

mbam_log_2010_10_05__19_31_26_.txt

Share this post


Link to post
Share on other sites

(OTL.exe I mean).

Extras.txt:

OTL Extras logfile created on: 05/10/2010 19:39:16 - Run 1

OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\admin\Bureau

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 0000040C | Country: France | Language: FRA | Date Format: dd/MM/yyyy

1

Share this post


Link to post
Share on other sites

The log from GMER is incomplete.

It should end with

---- EOF - GMER 1.0.15 ----

Please post the complete log

Share this post


Link to post
Share on other sites

Process "update.exe" just running (taking some CPU on the win tasks list) unsollicited ??!

Share this post


Link to post
Share on other sites

"update.exe" seems to be just the Avira signatures auto-update.

Sorry for the false alarm, I just becoming a lit be parano

Share this post


Link to post
Share on other sites

GMER is running again... Much longer than the first time. It may has been interrupted, because I've really copy/pasted the full output file.

Share this post


Link to post
Share on other sites

In case it ends up incomplete this time as well scan the computer with this one.

First please post the log from GMER.

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get the following warning, just click OK and continue.

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Share this post


Link to post
Share on other sites

New GMER is taking much much longer, scanning each & every files of my HD...

I'm going to have lunch now. I will be back in approx 1/2 hour. I prefer to mention it for you not to loose your time waiting me to answer.

Be sure I really-really appreciate your help. Thanks a lot, and hope to read you in approx half an hour.

I will then post ark2.txt.

Share this post


Link to post
Share on other sites
RootkitUnhooker ends before GMER. Results attached.
What I meant with the previous post was to run RKU if GMER ended up with an incomplete log. That is RKU should have been run only after GMER had finished and the log was incomplete.

Never run two tools /Antivirus-softwares or firewall at the same time, they will most likely interfere with each other.

I'll wait for the log from GMER, then we'll deal with this rootkit.

Share this post


Link to post
Share on other sites

:( Sorry.

(For antivirus, I know it was a problem. But I've never been able to get rid of these AVG processes: avgchsrx, avgcsrvx & avgrsx, while now it is Avira my Antivirus.)

GMER finally ended. See the attached report.

(Probably a problem of virtual drives ? One day something push my old drive letters one letter away. I noticed it because some links were not working anymore. atapi.sys driver seems strange too. I just don't know. Symptoms and strange PC behaviors. )

ark2.txt

Share this post


Link to post
Share on other sites

OK.

We'll deal with removing the leftovers from AVG in a bit.

First let's hit that rootkit.

Please read carefully and follow these steps.

Step 1.

TDSSKiller:

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillermain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 2.

ComboFix:

Download ComboFix from one of these locations:

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. Here is a howto for some of the applications.
    They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Step 3.

Things I would like to see pasted in your reply:

  • The content of the report from TDSSKiller in step 1.
  • The content of C:\ComboFix.txt from step 2.
  • Information on how your computer is running after those steps.

Share this post


Link to post
Share on other sites

Rootkit.TDSS found + cure + reboot.

Step 2: Combofix downloaded.

I'm starting Step 2...

Share this post


Link to post
Share on other sites

The content of C:\ComboFix.txt from step 2:

And now, I'm checking how my computer is running after those steps...

ComboFix.txt

Share this post


Link to post
Share on other sites

- MWB is running OK including when I lauch it "mbam.exe" (was blocked before) => 1st pleasant fact.

- I lost the mini icon of the win task manager. But I think it's not a problem. I will reboot to check if it's working as usual (yes, I use to keep an eye permanently on this CPU activity indicator) :(

- A new ie shortcut has been created on my desktop (I'm firefox user, I never use ie). But OK, I will remove it.

Could you tell me if MWB or HJT installed a permanent "watchdog" (don't know the righ word, sorry) to secure from potential future malware, trojan... (I which they do). As I think my problem is solved, I don't want to bother you again with that.

To check if everything is OK is now a question of time and going back to surf on the internet. The problem was that from times to times it redirect to random pages and was hanging on google-analytics... But not systematically. Hard to know if it will never happen.

Many thanks for your help ! Merci beaucoup de votre aide !

Share this post


Link to post
Share on other sites

[heir] We'll deal with removing the leftovers from AVG in a bit.

I've downloaded AVGremover.exe. Is that the right application to run in order to remove the leftovers from AVG ?

Share this post


Link to post
Share on other sites

Note!

Please stop wandering of doing things on your own. Doing so can in some cases be dangerous.

I need to analyze the logs first to prepare next steps.

I know you might be eager to get this computer clean. There is however seldom a quick fix.

Me being online at the same time as you is just your luck as this isn't an online service.

I'll get back to you when I've analyzed the logs.

Now it's late here. Need to tuck in for the night .

I'll be back tomorrow with the next steps.

heir

Share this post


Link to post
Share on other sites

Sorry if I "sounded" harsh in my previous post. It was late here. :(

It looks as you've had avast installed on this computer at some time as well. Is that correct?

Shall we remove the leftovers?

[2009/09/06 19:03:25 | 000,000,000 | ---D | M](C:\Documents and Settings\admin\Mes documents\??? ????????) -- C:\Documents and Settings\admin\Mes documents\??? ????????
Do your recognize these documents with Cyrillic characters?

There are some more entries that's out of place. We'll have a look at them here and run a couple of scans.

Let's continue with the following steps.

Step 1.

Filescan:

  • Using Internet Explorer please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • C:\WINDOWS\System32\drivers\ytuf.sys

    [*] Click on the Upload button

    [*] Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.

    [*] Paste the contents of the Clipboard in your next reply.

Step 2.

OTL-fix:

Run OTL.exe

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    IE - HKU\S-1-5-21-1645522239-2077806209-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-1645522239-2077806209-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKU\S-1-5-21-1645522239-2077806209-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
    O3 - HKU\S-1-5-21-1645522239-2077806209-725345543-1003\..\Toolbar\WebBrowser: (no name) - {4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2} - No CLSID value found.
    O4 - HKLM..\RunServices: [bDYi] C:\DOCUME~1\admin\LOCALS~1\Temp\bDYi.exe File not found
    O33 - MountPoints2\{4d8fa70c-5a7c-11dd-9b51-00142a88f968}\Shell\AutoRun\command - "" = K:\
    O33 - MountPoints2\{4d8fa70c-5a7c-11dd-9b51-00142a88f968}\Shell\explore\Command - "" = K:\RECYCLER\INFO.exe -- File not found
    O33 - MountPoints2\{4d8fa70c-5a7c-11dd-9b51-00142a88f968}\Shell\open\Command - "" = K:\RECYCLER\INFO.exe -- File not found
    :Reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "c:\Appli\Azureus\Azureus.exe"=-
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL fixlog

Step 3.

Uninstall unwanted programs:

Please go to Start > Control Panel > Add/Remove Programs and remove the following:

AVG Free 9.0

Azureus

Optional removals

Azureus and P2P programs in general are legal themselves, but much of the content downloaded with them is downloaded illegally. They are also a great way to infect yourself with malware.

It's up to you if you want to remove the above programs, however I recommend you do.

Step 4.

AVGRemover:

As stated by AVG

AVG Remover eliminates all the parts of your AVG installation from your computer, including registry items, installation files, user files, etc. AVG Remover is the last option to be used in case the AVG uninstall / repair installation process has failed repeatedly.

Only use this if the uninstall fails in the step above.

Chose and download the appropriate version of AVGRemover

Use the tools to remove AVG from your computer

Step 5.

MBAM:

  • Launch Malwarebytes' Anti-Malware.
  • Update Malwarebytes' Anti-Malware.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 6.

OTL-scan:

Delete scan.txt on your desktop.

  • Double click on OTL.exe on your desktop to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, tick the box beside Scan All Users at the top.
  • Underneath Output at the top set it to Standard Output.
  • Underneath the option Extra Registry set it to Use SafeList.
  • Underneath the option File Scans tick the boxes beside Use Company Name WhiteList, Skip Microsoft Files, LOP Check, Purity Check.
  • Download the following file scan.txt to your Desktop. You may need to right click on it and select "Save"
  • Double click inside the Custom Scan box at the bottom
  • A window will appear saying "Click Ok to load a custom scan from a file or Cancel to cancel"
  • Click the Ok button and navigate to the file scan.txt which we just saved to your desktop
  • Select scan.txt and click Open. Writing will now appear under the Custom Scan box
  • Click the Run Scan button. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

Step 7.

Things I would like to see in your reply:

  • Answers to the questions in the beginning of this post.
  • The content of the result from the filescan in step 1.
  • The content of the fixlog from OTL in step 2.
  • Which programs were uninstalled in step 3?
  • Did you perform step 4?
  • The content of the report from MBAM in step 5.
  • The content of OTL.txt and Extras.txt from step 6.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.