Avast WEBforum
Other => Viruses and worms => Topic started by: marsd on May 24, 2013, 09:37:38 PM
-
Within the last couple months my computer has been running slower-
some info and what I have noticed
I use the internet alot for all sorts of googling- I go to all sorts of sights for research as I run a couple blogs plus Im always searching for answers to something-
only recently, within a week, have I got these constant avast warning messages when I use IE-- They are constant--- looking back on it now I did get a good amount of warnings in the last few months, but Im not sure if they were just standard avast blocks or abnormal-
My computer has had a problem for a few months where it will freeze sometimes when watching a video- any video- of some sort with no rhyme or reason, the screen will go black- I will then have to do a hard reboot
Im not sure if that has anything to do with this, but it may.. Sometimes I will watch the same video a 2nd or 3rd time and it will freeze the computer and the screen will go black on the 2nd or 3rd time watching the video-- this happens once a week or so
I have also noticed recently alot of problems with adobe flash- seems to happen on all browsers, firefox, IE, chrome-- I try to use firefox or chrome mostly, but sometimes have to use IE
I will get a message that " a script has stopped working click to continue or cancel" and I click continue sometimes and the same message will popup- Somtimes it will go away.. but sometimes It will continue popping up each time after a long hang in teh computer and I will have to hit cancel
This seems to happen when I am playing a game on facebook that requires flash- although it also happens at other times-
example-
warning: unresponsive script
A script on this page may be busy, or it may have stopped responding. You can stop the script now or you can continue to see if the script will complete
script: https://research.scottrade.com/qnr/resourcemanager/etcetc/content/packages/advancedchart.js.package.js:260
continue OR stop script
this time I tried hitting stop script and the same message popped back up- I then tried continue and it came back again-- computer hangs when I click
my constant avast warning that prompted me to investigate further has the info below-
It seems I get the messages mostly when I open IE. Then it seems I get more alerts when I go to google for a search.
I have had these messages popup from Avast and show as BLOCKED, but it will do it each time I use IE especially when I close the browser and reopen it
Infection Details
URL: http://ytimg.biz/MCheck/VersionRequest.a...
Process: C:\Program Files\Internet Explorer\iexpl...
Infection: Win32:Malware-gen
Infection Details
URL: http://fbccdn.biz/MCheck/VersionRequest....
Process: C:\WINDOWS\assembly\NativeImages_v2.0.50...
Infection: URL:Mal
Infection Details
URL: http://93.190.44.14/MCheck/VersionReques...
Process: C:\Program Files\Internet Explorer\iexpl...
Infection: Win32:Malware-gen
Infection Details
URL: http://ytimg.biz/MCheck/VersionRequest.a...
Process: C:\Program Files\Internet Explorer\iexpl...
Infection: Win32:Malware-gen
Infection Details
URL: http://93.190.44.14/MCheck/VersionReques...
Process: C:\Program Files\Internet Explorer\iexpl...
Infection: Win32:Malware-gen
Malware blocked
avast web shield has blocked a harmful webpage or file
object: http:/.../VersionRequest.ashx?codename=ac
Infection: Win32:Malware-gen
Process: C:\Program Files\...\iexplore.exe
After running adwcleaner the computer restarted but it hung after I logged in and I could only see my wallpaper and the mouse moved, but nothing else for 10 mins so I had to do a hard restart
I was able to get the log file then on that restart--
# AdwCleaner v2.301 - Logfile created 05/24/2013 at 09:43:15
# Updated 16/05/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Marwan - MSDSAWDLAB-PC
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Marwan\My Documents\Downloads\adwcleaner.exe
# Option [Delete]
***** [Services] *****
***** [Files / Folders] *****
File Deleted : C:\Documents and Settings\Marwan\Start Menu\Programs\iLivid.lnk
Folder Deleted : C:\Documents and Settings\Marwan\Local Settings\Application Data\Ilivid
Folder Deleted : C:\Program Files\Common Files\Software Update Utility
***** [Registry] *****
Key Deleted : HKCU\Software\ilivid
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
Key Deleted : HKLM\SOFTWARE\Classes\Applications\ilividsetup.exe
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ilivid
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SoftwareUpdUtility
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ilivid
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
***** [Internet Browsers] *****
-\\ Internet Explorer v8.0.6001.18702
[OK] Registry is clean.
-\\ Mozilla Firefox v21.0 (en-US)
File : C:\Documents and Settings\Marwan\Application Data\Mozilla\Firefox\Profiles\fgzxe0fk.default\prefs.js
[OK] File is clean.
-\\ Google Chrome v27.0.1453.94
File : C:\Documents and Settings\Marwan\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
*************************
AdwCleaner[S1].txt - [3853 octets] - [24/05/2013 09:43:15]
########## EOF - C:\AdwCleaner[S1].txt - [3913 octets] ##########
-
attached AdwCleaner log file to this post
working on mbam
-
attached is most recent Mbam Log file-
-
hi marsd,
Good that you are now working on running and producing the logs for malware analysis.
Please attach all resulting logs, otherwise you will need several more posts to copy/paste them all in.
Use Attachments and other options link directly below the text reply box you are writing in.
Click that link and browse to the file you want to attach, and select 'Open'. All files attached in this way will only be viewable by users logged into the web site; not viewable to those not logged in. You can attach up to four logs at one time, up to 512 KB per post. Additional attachments will require you use the (more attachments) link.
Much easier for you that way.
Once that is done, a certified malware removal expert will be notified. Help will be on the way.
are also required. Please attach these logs as well.
[EDIT:] Fixed typo. Note you already are attaching logs whilst I was typing, so disregard instructions above. A malware expert has been notified and will come in as soon as possible. Time zone differences may come into play, so please be patient.
-
Thanks, I am working on the logs and attaching-
Please see attached Other MBAM logs recently made that could be of use with info--
-
sorry- this one is a duplicate-- same log-- the latest quick scan
mbam-log-2013-05-24 (15-31-03).txt
others are older an are a full scan I believe.
-
Last MBAM full scan on April 12th has positive hits, so that one can be useful. Thanks for posting. I've gone and notified a malware expert.
-
Could you attach the OTL log please
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
Secondary link (http://www.itxassociates.com/OT-Tools/OTL.exe)
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
(https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif)
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
dir C:\ /S /A:L /C
CREATERESTOREPOINT
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
-
I didnt know older MBAM scan could be useful-- here are more that may be useful with possible "hits"
plus I will attach MBAM as ANSI as I did not read that untill later--
-
2 of 3
older MBAM attached
-
3of 3
MBAM
-
essexboy + mchain-
Hi thank you in advance---
attached is OTL logs
-
Not a lot showing there, but the URL's are bad
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
attached aswMBR
Will do Combofix now
-
Combofix attached-
I will check around with computer and report back
-
during the combofix progress I was asked to download and create a windows recovery console because I did not have one or it was out of date- So I did and it went through fine-
Everything seemed to run smoothly with Combofix- I only remember having to click yes for the windows Eula recovery console and nothing much else-
-
When I open IE I get the same malware popup from avast---
Infection Details
URL: http://93.190.44.14/MCheck/VersionReques...
Process: C:\Program Files\Internet Explorer\iexpl...
Infection: Win32:Malware-gen
Infection Details
URL: http://fbccdn.biz/MCheck/VersionRequest....
Process: C:\WINDOWS\assembly\NativeImages_v2.0.50...
Infection: URL:Mal
Infection Details
URL: http://ytimg.biz/MCheck/VersionRequest.a...
Process: C:\Program Files\Internet Explorer\iexpl...
Infection: Win32:Malware-gen
I now get a message from IE that says-
Security alert
You are about to leave a secure internet connection. It will be possible for others to view information you send.
Do you want to continue?
in futer do not show this warning
yes, no, more info--
I clicked NO and closed the browser-
-
When you say bad, how bad do you mean?
can you tell what type of malware/virus I have?
Do you know if I am infected with any rootkits, or backdoor trojans. ??
Thanks
Not a lot showing there, but the URL's are bad
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
You are in good hands with essexboy. Every infection is different, which is why fixes are tailor-made and customized only for your system and no other.
essexboy knows quite a few people in the business, so if he encounters something new, you can be sure he will check it out. Aside from that, he also is a teacher in malware removal and repair in his other job. He learns much sometimes just by helping out people like you.
-
It is the URL's that are bad .. All I need to do now if find what is launching them
Please download to your desktop Short cut cleaner (http://www.bleepingcomputer.com/download/shortcut-cleaner/)
Then run.
(https://dl.dropbox.com/u/73555776/sc%20cleaner.JPG)
When the Shortcut Cleaner has finished scanning your hard drive it will create a log file on your desktop called sc-cleaner.txt and then display it.
Please post that log
-
sc-cleaner.txt attached---
I have no doubt I am good hands-
I like to try and learn what I can and I was curious to know what I had--
ty ty ty
;D
-
also I was wondering if what I have is bad enough to warrant a clean install--
I would rather not have to do that, but if it was wise to do so with whatever I have then I would-
Thats why I was wondering if you knew exactly what I was dealing with..
thanks again - I hope you had a good weekend
-
OK I think I may have found it, let me know if the deletion of this folder stops it
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:OTL
[2013/04/13 19:42:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Marwan\Application Data\MCommon
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7ADEFB8E-B723-45E6-86E2-2B7841F5D6A5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.PerformancePack\CLSID]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7adefb8e-b723-45e6-86e2-2b7841f5d6a5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Component Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.PerformancePack]
:Files
C:/Documents and Settings/%UserName%/Application Data/Microsoft Extensions/MicrosoftUpdate.DLL
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
attached fix plus quick scan-
-
Ooops I used the wrong switch, have the alerts ceased ?
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Files
C:\Documents and Settings\Marwan\Application Data\Microsoft Extensions\MicrosoftUpdate.DLL
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
my internet has been down----
I will run OTL again with new info and attach log-
However, I was trying out IE and it seems that the alerts have stopped popping up when I open it at the start- I have not looked further to see if I still get some of the other alerts I was getting with some google searches though-- I will do that after OTL--
However I was using firefox today and I got a strange Trojan horse alert after clicking to go to a site I have gone to before without probelms-
using firefox I did a search on google for "stock market forum" and I then clicked on www.stockrants.com/forum/
then I got this message-
Infection Details
URL: http://www.stockrants.com/forum/misc.php...
Process: C:\Program Files\Mozilla Firefox\firefox...
Infection: HTML:RedirDL-inf [Trj]
it seemed very strange, and it may be related since there is something about a redir? Although this is a trojan horse warning-
I will attach a screenshot-
-
attached OTL--
-
ps-
I just got this same message in chrome trying to open same site from chrome--
Infection Details
URL: http://www.stockrants.com/forum/misc.php...
Process: C:\Program Files\Google\Chrome\Applicati...
Infection: HTML:RedirDL-inf [Trj]
-
strange thing-
I also noticed that I cant replicate this trojan horse if I do the same search and click again through google to that site- However if I restart the computer I am able to make the message pop up again
-
Those alerts a different, they are alerting on a Gzip on that page, could you revisit and see if the alerts still appear
-
yes I just tried it again, google searched, clicked to site, and get the same message-
Trojan Horse Blocked-
Infection Details
URL: http://www.stockrants.com/forum/misc.php...
Process: C:\Program Files\Mozilla Firefox\firefox...
Infection: HTML:RedirDL-inf [Trj]
-
Does this only happen in Firefox now ?
If so could you disable all addons and see if they cease
-
No this happens in Firefox and Chrome, and I will test IE too now--
some notes:
It happens only the first time I try to click to the site through google search- After that first time I get teh trojan horse warning I will not get it again until I restart the computer and try again and in that instance I will get the popup message again-
Once I get the message- it doesnt happen in a different browser once it has happened in the other- for example I use chrome first, I open the site and I get the popup, then I open firefox and do the same thing, but not message-
Maybe it is hijacking google search links?
-
I could not replicate the same problem ( trojan horse) in IE--
do you still want me to try and disable addons in firefox?
any suggestions?
-
Yes disable the FF addons as some run through to Chrome as well
-
I disabled all Firefox extensions AND plugins but I still get the same Trojan Horse warning
-
I still get it with firefox and chrome- but cant replicate in IE-- and I onle get it the first time after a computer restart still---
-
Could you run a fresh OTL scan please selecting all users ... The answer is somewhere within the FF/Chrome addons
-
do you need anything in custom scan box etc?
-
OtL attached---
-
Could you disable these three plugins/extensions and let me know if the alerts stop
Torch Share
WorldWinner Firefox Launcher Plugin
Catalina Marketing Corporation
-
should these all be in firefox?
in firefox i found-
catalina savings printer 2.0.0.2
worldwinner firefox launcher plugin
in chrome I found
torch share-
I turned these off, but the problem persists--- am I looking in the correct place to disable addons? should I be looking anywhere else?
-
I uninstalled torch, some web browser that I dont remember getting or ever using- since you mentioned disabling torch share, however that didnt solve anything either--
-
I cant seem to find a plugin/extension anywhere that specifically says catalina marketing corporation
-
I just tried to disable all addons/plugins/extensions in firefox and chrome, but I still get the same trojan horse warning-
-
It appears to be well hidden within either Firefox or Chrome (they do share some files)
At this stage the easiest option would be to fully uninstall Firefox and Chrome, then re-install
-
will I have to lose my bookmarks and plugins/extensions? or can I keep anything?
-
Ideally it would need to be a fresh start with regards to plugins/extensions, but export the bookmarks as they should not be a problem
-
ok sounds good-
I do this through add remove programs or some other way?
-
For firefox, first backup your bookmarks to the desktop
Then follow the steps here http://support.mozilla.org/en-US/kb/uninstall-firefox-from-your-computer
This is the important part as we do not wish to retain the bad plugin :
If you want to remove your Firefox user data and settings, put a check mark in the box that says Remove my Firefox personal data and customizations. If you select this option, Firefox will not preserve your bookmarks, saved passwords, and other data if it is installed again.
Same for Chrome here https://support.google.com/chrome/answer/95319?hl=en
-
strange thing-
I removed firefox, then chrome following instructions- I even removed left over firefox folder in C program files-
However when I went to download new firefox and reinstall it I then opened firefox and it had all of the plugins still there!
It had 3 less extensions, but it left 3 extensions in firefox and all 3 were disabled-- The plugins were all enabled!-
I have before screenshots of the addons if that is helpful at all-
I also tried to replicate the Trojan horse popup, and it is still there.
-
Yes could you show all the addons. Did you select remove all data and then delete the firefox folders before re-installing ?
Clear Cache/Temp Files
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
- Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- It will close all programs when run, so make sure you have saved all your work before you begin.
- Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
- Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
-
yes I did all that before reinstall-
I will do this now-
here are scnreenshots
-
2 of 4
-
3 of 4
-
4 of 4
-
just got this in IE
Infection Details
URL: http://url4short.info/favicon.ico
Process: C:\Program Files\Mozilla Firefox\firefox...
Infection: URL:Mal
I got it by going to google and searching for:
https://www.google.com/search?q=HTML%3ARedirDL-inf+[Trj]+type+of+trojan&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a#client=firefox-a&hs=zdw&rls=org.mozilla:en-US%3Aofficial&sclient=psy-ab&q=what+type+of+trojan+is+HTML:RedirDL-inf+[Trj]&oq=what+type+of+trojan+is+HTML:RedirDL-inf+[Trj]&gs_l=serp.3...10931.16746.1.16959.25.24.0.0.0.14.261.3178.0j23j1.24.0...0.0...1c.1.15.psy-ab.LguZXFN4_K8&pbx=1&bav=on.2,or.r_qf.&bvm=bv.47244034,d.aWM&fp=df2c1034d2b67a94&biw=1920&bih=1061
what type of trojan is HTML:RedirDL-inf [Trj]
Then when I clicked on the 4th thing listed it gave me that message--- However when I try and click a second time the message does not come--- Seems to have some kind of similar pattern?
http://www.drumcorpsplanet.com/forums/index.php/topic/154946-dcp-infected/
-
I ran TFC.exe
-
Do you have firefox set to synch as most of the addons/extensions are not part of the base package
Could you open a command prompt and type in the following pressing enter after it
ipconfig /flushdns
-
done
-
as for firefox set to syn, I never changed any setting about this that I know of- How do I see that info?
-
if you mean under tools, options, sync-
I never touched anything there
-
Im still getting all sorts of google search redirectiong after clicking on links--
again-
did this search on google in IE trying to see what this Trojan warning is that I got from the other google search where I clicked stockrants-
what kind of trojan is HTML:RedirDL-inf [Trj]
http://www.google.com/search?q=what+kind+of+trojan+is+HTML%3ARedirDL-inf+%5BTrj%5D&sourceid=ie7&rls=com.microsoft:en-us:IE-SearchBox&ie=&oe=&rlz=1I7ADRA_en#rls=com.microsoft:en-us%3AIE-SearchBox&rlz=1I7ADRA_en&sclient=psy-ab&q=what+kind+of+trojan+is+HTML:RedirDL-inf+%5BTrj%5D&oq=what+kind+of+trojan+is+HTML:RedirDL-inf+%5BTrj%5D&gs_l=serp.12...0.0.0.116016.0.0.0.0.0.0.0.0..0.0...0.0...1c..15.psy-ab.uIksnY_Oi_M&pbx=1&bav=on.2,or.r_qf.&bvm=bv.47244034,d.aWM&fp=b13afd72f562bd5a&biw=1280&bih=705
Then I clicked on 5th listing-
www.drumcorpsplanet.com/forums/index.php/.../154946-dcp-infected/
but it redirects to bad site--
http://url4short.info/948f56c0
and I get this warning-
Infection Details
URL: http://url4short.info/948f56c0
Process: C:\Program Files\Internet Explorer\iexpl...
Infection: URL:Mal
-
From reading that forum thread there appears to be a bad google link. Could you once more totally uninstall firefox and chrome, reboot and run an OTL quick scan selecting all users please
-
OTL attached-
-
I just reinstalled firefox and I still get all these addons that should have been deleted when I uninstalled, but for some reason they are not going away--
-
OK Uninstall Firefox, run this OTL fix and then re-install firefox please
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw_1202122.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.21.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.21.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.19: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.18: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.6: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\@worldwinner.com/Launcher2,version=1.10.0.25: C:\Program Files\WorldWinner.com, Inc\WorldWinner Games\npwwload.dll (WorldWinner.com, Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\CouponNetwork.com/CMDUniversalCouponPrintActivator: C:\DOCUME~1\Marwan\APPLIC~1\CATALI~2\NPBCSK~1.DLL (Catalina Marketing Corporation)
FF - HKCU\Software\MozillaPlugins\tdameritrade.com/tossc: C:\Program Files\thinkorswim\tossc32.dll (TD Ameritrade)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\hotfix@mozilla.org: C:\Documents and Settings\Marwan\Application Data\Mozilla\Firefox\Extensions\MozillaHotfix [2013/02/28 16:28:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013/05/14 15:30:09 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\hotfix@mozilla.org: C:\Documents and Settings\Marwan\Application Data\Mozilla\Firefox\Extensions\MozillaHotfix [2013/02/28 16:28:16 | 000,000,000 | ---D | M]
[2012/04/25 20:59:06 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Marwan\Application Data\Mozilla\Firefox\Extensions
[2013/02/28 16:28:16 | 000,000,000 | ---D | M] (Mozilla hotfix) -- C:\Documents and Settings\Marwan\Application Data\Mozilla\Firefox\Extensions\MozillaHotfix
[2013/05/30 09:50:57 | 002,162,336 | ---- | C] (Catalina Marketing Corp) -- C:\Documents and Settings\Marwan\Local Settings\Application Data\BcsKtYcHW.dll
[2013/05/28 17:56:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Marwan\Application Data\MCommon
[2013/05/30 09:50:57 | 000,922,944 | ---- | M] () -- C:\Documents and Settings\Marwan\Local Settings\Application Data\a.zip
[2013/05/28 07:29:46 | 000,465,280 | R--- | M] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2win32.cid
[2012/12/16 12:40:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Marwan\Application Data\Catalina Marketing Corp
[2013/05/03 08:22:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Marwan\Application Data\Catalina – Print Savings
[2013/06/03 14:16:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Marwan\Application Data\MCommon
:Files
C:\Program Files\MozyHome
C:\Documents and Settings\Marwan\Application Data\Mozilla
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
ran fix-
-
OK reinstall Firefox now and let me know if the alerts have gone, you did have firefox backing up data .. Hence the return
-
otl-
quick scan
-
No, I still get the same alerts and redirects- after following google search shown above--
Infection Details
URL: http://url4short.info/948f56c0
Process: C:\Program Files\Mozilla Firefox\firefox...
Infection: URL:Mal
fyi-
Firefox now only has these addons-
extensions:
microsoft .net framework assistant 0.0.0 (disabled)
plugins:
adobe acrobat 11.0.3.37 (enabled)
quicktime plugin 7.7.4 7.7.4.0 (enabled)
-
same pattern for other google search
"stock market forum"
Infection Details
URL: http://www.stockrants.com/forum/misc.php...
Process: C:\Program Files\Mozilla Firefox\firefox...
Infection: HTML:RedirDL-inf [Trj]
I can find other examples too if that is helpful??
-
ran fresh OTL scan
attached-
-
OK I think I know where it is hiding... Notice that the quarantine file has now added itself to the run key. As soon has this fix has completed (there will be no reboot) Press the Cleanup button on OTL
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
SRV - File not found [Auto | Stopped] -- C:\Program Files\MozyHome\mozybackup.exe -- (mozybackup)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MozyHome Status.lnk = C:\_OTL\MovedFiles\06052013_094250\C_Program Files\MozyHome\mozystat.exe (Mozy, Inc.)
:Files
C:\Program Files\MozyHome
C:\Documents and Settings\Marwan\Application Data\MCommon
:Commands
[resethosts]
[CREATERESTOREPOINT]
- Then click the Run Fix button at the top
-
I have done this and I will attached the logs once it restarts--
however I would like to note that I am using my other laptop and was trying to replicate those 2 warning popups with a google search and I was able to do it-- are you able to replicate them too or is it possible that this other laptop of mine is also infected?
-
I dont see any of the OTL files anywhere anymore--
did you need me to post something?
-
What link did you follow on google, could you copy it here, as I am getting no alerts at the moment
No the cleanup button removed OTL and more importantly the quarantine files
Are you still getting the alerts now ?
-
same as before-
searched google
"stock market forum"
https://www.google.com/search?q=stock+market+forum&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
clicked on stockrants 3rd in search liust
http://www.stockrants.com/forum/
got trojan horse blocked warning--
Infection Details
URL: http://www.stockrants.com/forum/misc.php...
Process: C:\Program Files\Mozilla Firefox\firefox...
Infection: HTML:RedirDL-inf [Trj]
-
Going via the google link I get an alert. Going directly to the URL no alert.... That is in IE
-
I did that in firefox for me
-
In IE I get this error---
strangely I was getting this error in firefox too, but now it only seems to happen in firefox--- I wouldnt think it was so strange but I so happen to check it on my other laptop before you made any changes on this one we have been working on and it showed a warning message when we used Firefox to click on the link through google-- However now it also doest show it-- strange-- But both show it in IE--
To get to this one I did the following in IE--
I search in google for
what type of trojan is HTML:RedirDL-inf [Trj]
http://www.google.com/search?q=what+type+of+trojan+is+HTML%3ARedirDL-inf+%5BTrj%5D&sourceid=ie7&rls=com.microsoft:en-us:IE-SearchBox&ie=&oe=&rlz=1I7ADRA_en
then clicked on 4th listing:
www.drumcorpsplanet.com/forums/index.php/.../154946-dcp-infected/
but I was recirected to a different site and got a warning message--
redirected to this site: http://url4short.info/948f56c0
got this message:
Infection Details
URL: http://url4short.info/favicon.ico
Process: C:\Program Files\Internet Explorer\iexpl...
Infection: URL:Mal
This was in IE---
strangely this used to happen in Firefox, but I cant seem to replicate it anymore in FF
-
in IE I can replicate this message over and over again and it redirects me to that page--
If I type in URL in IE it goes to page no problem--
I get correct URL from FF--
If I do the same search in FF I am directed to teh correct page now, but this was not the case earlier today--- I verified this on 2 different laptops
-
I just tried and I got this in both my laptops-
using IE I googled "stock market forum"
clicked on 3rd listing-
www.stockrants.com/forum/
and didnt get any message--
opened FF and did the same thing and both laptops gave me the same warning-
Infection Details
URL: http://www.stockrants.com/forum/misc.php...
Process: C:\Program Files\Mozilla Firefox\firefox...
Infection: HTML:RedirDL-inf [Trj]
i guess I should note I can only do this 1st time after I restart the computer whereas the other message that says malicious URL blocked and redirects me does it everytime I click on the search link from searching " what kind of trojan is HTML:RedirDL-inf [Trj] "
-
strangely the " what kind of trojan is HTML:RedirDL-inf [Trj] " give me the warning in IE, but not FF
and it will redirect every time I click on the link in google----
even more strange was that my other laptop showed the same problem once, but then it was gone, and then it was back--- I cant figure it out
-
Basically there is a script or element on the page attempting a redirect which was foiled by web shield
I will have one further look for Mcommon
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
Secondary link (http://www.itxassociates.com/OT-Tools/OTL.exe)
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
(https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif)
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
dir "%systemdrive%\*" /S /A:L /C
CREATERESTOREPOINT
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
-
would this have anything to do with the " unresponsive script warning " messages that I get on sites sometimes?
attached otl and extra
-
Yes I think I will check the site out with Zscaler as the Mcommon folder was re-installed at 1156 your time. Could you post the fix log this generates
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
[2013/06/05 11:56:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Marwan\Application Data\MCommon
- Then click the Run Fix button at the top
-
Zulu scaler report http://zulu.zscaler.com/submission/show/321173aede881a16a0f9bd24078e95d8-1370457905
And this is just the main landing page not the forum page
-
fix log attached-
-
I believe that this site has a redirect on it, if it occurred on all sites you visited then I would suspect that your system is infected, but as it is isolated then I would tend to think you are clean
-
that sounds good to me :)
-
so you say both the trojan horse warning and the malicuious URL blocked are external problems to do with those sites?
If that is the case why does it not happen in all browsers?
-
All browser have different security features, I use IE10 and it has a built in blacklist that will not allow a redirection to known bad sites, Chrome and Firefox also do to a degree and without the additional extensions/plugins etc do not have the same security level
-
great-
Thanks so much for the help---
so what was that other one that you got rid of anyway? the one where it would popup warning each time I just opened IE--- thats the one we cured that was actually on this machine-- is there anyway of knowing where it came from or how I got it?
-
That was iLivid one of the toolbars AdwCleaner removed, I then removed the appdata folder that controlled it
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[CLEARALLRESTOREPOINTS]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Remove ComboFix- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall
(Notice the space between the "x" and "/")
then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
Run AdwCleaner and press uninstall
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
If you use on-line banking then as an added layer of protection install Trusteer Rapport (http://www.trusteer.com/Products/Trusteer-Rapport-for-Online-Banking)
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)Keep safe :wave:
-
Thank you!!
I will see how the computer runs and cleanup this weekend hopefully--
You are a genius- A master of the art-
-Bows to the master-
Thank you again-
-
Not really just to pig stubborn to give up :)
-
Im stuck at uninstalling combofix--- I cant seem to find it?? I tried these directions but it says-
windows cannot find combofix etc--
a search for combofix I found
combofix.tx in folder C:\Documents and Settings\Marwan\Recent
Remove ComboFix
Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
In the Run box, type in ComboFix /Uninstall
(Notice the space between the "x" and "/")
then click OK
Follow the prompts on the screen
A message should appear confirming that ComboFix was uninstalled
-
OK continue with OTL .. That will delete it as part of its cleanup
-
cleanup complete--
thank you!!!
-
My pleasure :)