Author Topic: Malicious URL: http://rk400.com - It's destroying my access to internet.  (Read 33886 times)

0 Members and 1 Guest are viewing this topic.

Black3

  • Guest
Hello, a few days ago my avast started to pop some notifications about a malicious URL, i searched about it and discovered that is the malware http://rk400.com
I tried some things but nothing really helped me to get rid of this malware, it is blocking my acess to some things of internet, like updating some games or programs, using the google chrome, I can only use Opera, didnt tried Firefox.

I did some procedures and I will attach the logs from AdwCleaner, OTL and MBAM on the next post, because i couldnt attach on this one.
Some of the logs may be in Portuguese, i'm really sorry about this, if it's a problem please notify-me so I'll try to change the program language to english and try to run them again!!

That's the pop-up, it's in portuguese too, i'm sorry:

I already thank everyone that attempt to help me on this one, because it seems really hard to get rid of this thing, please, i need some help here!!
« Last Edit: October 13, 2012, 06:14:34 PM by Black3 »

Black3

  • Guest
Re: Malicious URL: http://rk400.com - It's destroing my acess to internet.
« Reply #1 on: October 13, 2012, 06:04:20 PM »
Logs
-----
For the record, I was running aswMBR, so i could post the log here, but my pc crashed, it gave that terrible blue screen, i don't know if a should try running it again.

My OS is Windows 7 Home Premium, it's original.
« Last Edit: October 13, 2012, 06:48:48 PM by Black3 »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Malicious URL: http://rk400.com - It's destroing my acess to internet.
« Reply #2 on: October 13, 2012, 06:04:47 PM »
Some of the logs may be in Portuguese, i'm really sorry about this...

That's no problem. Keep posting your logs.
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Malicious URL: http://rk400.com - It's destroying my access to internet.
« Reply #3 on: October 13, 2012, 10:33:53 PM »
Hi, lets see if we can resolve this

 Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 
  • Doubleclick on TDSSKiller.exe to run the application


  • Then click on Change parameters.
     

     
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
     
  • Click the Start Scan button.
     
     
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
     

     
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

  • Get the report by selecting Reports

 
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.

Black3

  • Guest
Re: Malicious URL: http://rk400.com - It's destroying my access to internet.
« Reply #4 on: October 14, 2012, 12:30:08 AM »
6 suspicious objects found, skipped them all, none malicious found.

I tried attaching the report file but it's too big, so I uploaded in MediaFire:

http://www.mediafire.com/view/?6ao9aot1uedvpz8

I appreciate your help!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Malicious URL: http://rk400.com - It's destroying my access to internet.
« Reply #5 on: October 14, 2012, 12:32:20 AM »
OK the MBR is not the culprit which is good

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks




  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Black3

  • Guest
Re: Malicious URL: http://rk400.com - It's destroying my access to internet.
« Reply #6 on: October 14, 2012, 01:20:48 AM »
Hi, I opened ComboFix, and it tried to update, but as i said, some programs just can't update, and that one couldn't, so I used it without updating, then I rebooted my pc and tried to open skype, because every time i opened skype the malware pop up showed up, and now it don't shows anymore, and Google Chrome is working again, but on the bad side I lost the sticky note on my desktop with all my tests dates, but this I can fix.
Just lyrics for winamp that isn't working again, i'll try reinstalling it.
And later i'll try to update some games and programs to see if it works, but anyway, thanks man, this was really helpful.
Anyway, i'll attach the log here.

Thank you very much.

------
Well, the programs and games still dont update, and Internet Explorer and every programs that uses it to connect with the internet are bugged, so i'm afraid that this malware isn't completely removed, there's any way to know that?
« Last Edit: October 14, 2012, 01:25:08 AM by Black3 »

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5564
  • Spartan Warrior
Re: Malicious URL: http://rk400.com - It's destroying my access to internet.
« Reply #7 on: October 14, 2012, 04:48:10 AM »
hi Black3,

Problems you are experiencing are not unusual for an infected system. 

essexboy likely lives in a different (or near same) time zone as you, and will be back after work, etc.  He will also assist you in fixing any additional issues because these issues were caused by the original infection in the first place.

Work with him and when all is good, he will give the all clear.
Windows 10 Home 64-bit 22H2 Avast Premier Security version 24.1.6099 (build 24.1.88821.762)  UI version 1.0.797
 UI version 1.0.788.  Windows 11 Home 23H2 - Windows 11 Pro 23H2 Avast Premier Security version 24.2.6105 (build 24.1.8918.827) UI version 1.0.801

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Malicious URL: http://rk400.com - It's destroying my access to internet.
« Reply #8 on: October 14, 2012, 01:37:34 PM »
OK lets check the services next

Download and run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

THen could you run a fresh OTL scan ensuring all users is selected


Black3

  • Guest
Re: Malicious URL: http://rk400.com - It's destroying my access to internet.
« Reply #9 on: October 14, 2012, 08:57:18 PM »
Hi, here are the logs.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Malicious URL: http://rk400.com - It's destroying my access to internet.
« Reply #10 on: October 14, 2012, 10:27:45 PM »
Could you try to update after this

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:OTL
IE - HKU\S-1-5-21-2501481691-2038128686-1698612183-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = http://jcefk.sistemseguroupdate.com/u5z4tuoocai.win

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Black3

  • Guest
Re: Malicious URL: http://rk400.com - It's destroying my access to internet.
« Reply #11 on: October 15, 2012, 01:35:13 AM »
OK, I did everything, and then tried to update my stuff but it's still not working, IE still doesn't works (not that I care that much, anyway).
Log of the Quick Scan attached.

And thank you essexboy for helping me with this!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Malicious URL: http://rk400.com - It's destroying my access to internet.
« Reply #12 on: October 15, 2012, 04:57:15 PM »
OK lets run a further check on the MBR

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 
  • Doubleclick on TDSSKiller.exe to run the application


  • Then click on Change parameters.
     

     
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
     
  • Click the Start Scan button.
     
     
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
     

     
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

  • Get the report by selecting Reports

 
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.

Black3

  • Guest
Re: Malicious URL: http://rk400.com - It's destroying my access to internet.
« Reply #13 on: October 15, 2012, 08:20:48 PM »
Sorry for taking too long to answer, I've been a little busy with my university.
TDSSKiller log attached.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Malicious URL: http://rk400.com - It's destroying my access to internet.
« Reply #14 on: October 15, 2012, 08:50:46 PM »
It looks like system repair time I feel

Download  Windows Repair (all in one)  from this site

Install the programme then run



Go to step 3 and allow it to run SFC



On the start repairs tab click start


Select the following  items and tick restart system when finished