Avast WEBforum

Other => Viruses and worms => Topic started by: amaxey45 on January 06, 2011, 05:09:02 PM

Title: AV8 is gone, problems remain..."Attention! Your web page request has been...
Post by: amaxey45 on January 06, 2011, 05:09:02 PM

cancelled.  I finally got rid of AV8 on this laptop, but cannot get rid of the issue of opening web pages.  I get the same message everytime...Attention! Your web page request has been cancelled.  I have scanned it with a fully updated very of MBAM which finds nothing.  I saw this issue in another thread via google, but cannot determine how that issue was solved.  Thanks in advance for the help.

mbam log...

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5457

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/6/2011 9:46:59 AM
mbam-log-2011-01-06 (09-46-59).txt

Scan type: Full scan (C:\|)
Objects scanned: 368486
Time elapsed: 1 hour(s), 34 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Title: Re: AV8 is gone, problems remain..."Attention! Your web page request has been...
Post by: Pondus on January 06, 2011, 05:20:08 PM

OBS: your Malwarebytes is not updated, latest signaturbase is 5471 so you may update and try again

Here are some more you can try.....if no success then Essexboy is next  ;)

Kaspersky TDSSKiller http://support.kaspersky.com/viruses/solutions?qid=208280684
Norman Malware Cleaner http://www.norman.com/support/support_tools/malware_cleaner/
Dr.Web CureIt http://www.freedrweb.com/cureit/?lng=en
How to use it http://www.freedrweb.com/cureit/how_it_works/?lng=en


Save to desktop and run from there. They are not installed so no uninstall needed when done, just drag and dropp in recyle bin

Title: Re: AV8 is gone, problems remain..."Attention! Your web page request has been...
Post by: Asyn on January 06, 2011, 07:52:06 PM

If your system is clean, you maybe have to fix your winsock in XP...
http://majorgeeks.com/WinSock_XP_Fix_d4372.html
asyn

Title: Re: AV8 is gone, problems remain..."Attention! Your web page request has been...
Post by: essexboy on January 06, 2011, 07:54:30 PM

There may still be some active elements - an OTL log would determine that

Download OTL (http://oldtimer.geekstogo.com/OTL.exe)  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Attach these logs please
    

Title: Re: AV8 is gone, problems remain..."Attention! Your web page request has been...
Post by: amaxey45 on January 07, 2011, 09:24:39 PM

Here is the OTL file.  I ran all the scans from the previous posters with no luck.  I appreciate the help.

Title: Re: AV8 is gone, problems remain..."Attention! Your web page request has been...
Post by: essexboy on January 07, 2011, 09:48:01 PM

I see that you have the AVP tool on your desktop, could you run it in the following mode please

Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder  then upload to Mediafire (http://www.mediafire.com/) and post the sharing link.
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

Title: Re: AV8 is gone, problems remain..."Attention! Your web page request has been...
Post by: amaxey45 on January 07, 2011, 10:00:43 PM

Done.

Title: Re: AV8 is gone, problems remain..."Attention! Your web page request has been...
Post by: essexboy on January 07, 2011, 10:02:10 PM

Could you post the link for the log please  ;D

Title: Re: AV8 is gone, problems remain..."Attention! Your web page request has been...
Post by: amaxey45 on January 12, 2011, 06:06:31 PM

I apologize for the delay.  I work for a school district and the teacher needed the infected laptop back for the weekend and he has just brought it back to me.  Here are the links...

http://www.mediafire.com/?u220nzw1ypojpgg

or

http://www.mediafire.com/file/u220nzw1ypojpgg/avptool_sysinfo.zip

Title: Re: AV8 is gone, problems remain..."Attention! Your web page request has been...
Post by: essexboy on January 12, 2011, 07:48:14 PM

Ok some bad boys are still there- this one will clear the majority.  On completion can you let me know what problems you are experiencing 

• Re-run AVPTool
• Select the Manual Disinfection tab
  
• Where it states Step 3 paste in the following disinfection script and press execute
  

Code: [Select]

begin
SetAVZPMStatus(True);
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 BC_DeleteFile('C:\WINDOWS\TEMP\Uhd.exe');
 DeleteFile('C:\WINDOWS\TEMP\Uhd.exe');
 RegKeyParamDel('HKEY_USERS','.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run','JP595IR86O');
 RegKeyParamDel('HKEY_USERS','S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run','JP595IR86O');
 BC_DeleteFile('C:\WINDOWS\TEMP\Uhg.exe');
 DeleteFile('C:\WINDOWS\TEMP\Uhg.exe');
 RegKeyParamDel('HKEY_USERS','.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run','MFJJEC0A1L');
 RegKeyParamDel('HKEY_USERS','S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run','MFJJEC0A1L');
 BC_DeleteFile('C:\WINDOWS\TEMP\Uhi.exe');
 DeleteFile('C:\WINDOWS\TEMP\Uhi.exe');
 RegKeyParamDel('HKEY_USERS','.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run','NtWqIVLZEWZU');
 RegKeyParamDel('HKEY_USERS','S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run','NtWqIVLZEWZU');
 BC_DeleteFile('C:\WINDOWS\TEMP\xaqmnlqxq\kitsphausbs.exe');
 DeleteFile('C:\WINDOWS\TEMP\xaqmnlqxq\kitsphausbs.exe');
 RegKeyParamDel('HKEY_USERS','.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run','apcgmjfl');
 RegKeyParamDel('HKEY_USERS','S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run','apcgmjfl');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

• Your system will reboot on completion, if it does not please do so yourself
• On completion please run another analysis scan and attach the zip file

(http://i1224.photobucket.com/albums/ee362/Essexboy3/avpmanual.jpg)

Title: Re: AV8 is gone, problems remain..."Attention! Your web page request has been...
Post by: amaxey45 on January 12, 2011, 08:11:51 PM

Everytime I open a web page I still get...

"Attention! Your web page request has been cancelled.
This web site refused your connection as it was reported as a malicious request. This can be caused by Viruses, Trojans or Malware found on your computer.

In order to resend your request to the website, press Resend request (please note, this action may cause a permanent block of your computer by the requested website)

To activate your security software, please press Fix Now (recommended)"

I have to try the address countless times before it will actually direct me to the web site.  Here is the lastest analysis report...

http://www.mediafire.com/?0jejj9b90biz4yt

or

http://www.mediafire.com/file/0jejj9b90biz4yt/avptool_sysinfo.zip

Thanks again.

Title: Re: AV8 is gone, problems remain..."Attention! Your web page request has been...
Post by: essexboy on January 12, 2011, 08:54:24 PM

OK I have done about as much manual removal as I can so lets get the next one to work

Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Title: Re: AV8 is gone, problems remain..."Attention! Your web page request has been...
Post by: amaxey45 on January 12, 2011, 10:47:41 PM

I ran into a bit of trouble during the combofix, which was probably my fault.  Here is the log, if this isnt adequate, I can run it again.

Title: Re: AV8 is gone, problems remain..."Attention! Your web page request has been...
Post by: essexboy on January 12, 2011, 11:19:22 PM

I can see no problems that you caused - you did have a renv infection which can take a while to remove.  Also a possible TDL3 problem

 

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Altiris\\AClient\\AClntUsr .exe"=-

Renv::
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Altiris\AClient\AClntUsr .exe
c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VERSIO~2 .exe
c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv .exe
c:\program files\HP\HP Software Update\HPWuSchd2 .exe
c:\program files\Lightspeed Systems\SecurityAgent\satray .exe
c:\program files\QuickTime\qttask                                       .exe

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new OTListit log.

.

THEN

Please read carefully and follow these steps. 

• Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
   
   
  (http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png)
   
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
   
  (http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png)
   
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
   
  (http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png)
   
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
   
  (http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png)
   
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.