Malicious URL/Trojan Imposter Repelled Alerts

[Dorian Saignren]

Alright, first an overview of the problems, the things i've tried, and my laptop...

Its a Gateway, been through the ringer a bit... pretty dinged up.  1.60 GHz, 896 mb of ram, Running Windows XP Media center Edition Version 2002 Service Pack 2.  I don't currently have any notable programs having uninstalled everything trying to get rid of this... Well, I didn't get rid of BitTorrent yet I don't think... But I haven't run it in months, since long before the problems started.

I have tried a system restore, I've scanned (IDK how many times now...) with Avast, and Maleware Bytes, Spybot S&D, CCleaner, and Housecall...  I've recently cleaned and defragged my computer (recently as in two days ago).  And everything keeps coming up clean or I fix minor issues I expected to have (like a PUP from a site I know, or emptiying the cache)  But still I'm seeing issues...

My computer has a hard time starting up or shutting down, usually it's slow and sometimes it freezes mid way.  I have a hard time shutting down my internet connection (sometimes it won't listen to me at all).  My internet browsers (IE and Firefox both) sometimes won't start up (freezing midway, I have to end the processes or I get a flood of half open browsers trying to get online).  Occasionally explorer.exe dies outright, usually when I'm in a folder with images or video (this started happening quite a while ago, it may or may not be related).  I frequently get "Trojan Imposter Repelled" and "Malicious URL Repelled" alerts from Avast, as well as "Virus Protection" or "You've won this!" popups, usually the same or similar ones.  Also, I have googled the IP address in the first URL blocked warnings (199.80.55.80, while scanning for this I got another with 199.80.55.19) and any site with it I am redirected from on the infected computer.  I checked the sites via another computer, but with everything in them I can't be absoutely sure it's the same problem, though I believe it is or at least it's a similar one.

I have and will post here screen shots of two of the Avast warnings, as well as one of the virus popups, and fresh scan logs from Avast, Spybot S&D, Maleware Bytes, Housecall, and HijackThis!.  I have used HijackThis! on recommendation from these forums before, and I know not to do anything in it without assistance, but often a log from it is requested, so I figured I'd provide one right away since I have the program.

Any help is appreciated.  I have used these forums once before to save a previous laptop from the grave, I hope to do the same this time.

[{(Images)}]
http://i188.photobucket.com/albums/z12/Raziel_Shadowchild/Virus%20Shit/avast1.jpg
http://i188.photobucket.com/albums/z12/Raziel_Shadowchild/Virus%20Shit/avast2.jpg
http://i188.photobucket.com/albums/z12/Raziel_Shadowchild/Virus%20Shit/avast3.jpg
http://i188.photobucket.com/albums/z12/Raziel_Shadowchild/Virus%20Shit/viruspopup1.jpg
http://i188.photobucket.com/albums/z12/Raziel_Shadowchild/Virus%20Shit/avastlog.jpg
http://i188.photobucket.com/albums/z12/Raziel_Shadowchild/Virus%20Shit/spybotsdlog.jpg
http://i188.photobucket.com/albums/z12/Raziel_Shadowchild/Virus%20Shit/housecalllog.jpg
[{(END)}]

[Pondus]

You did not update Malwarebytes before you scanned, so you have used a very old database: 4449 latest is 4985 ? Malwrebytes is releasing several updates a day....

So update Malwarebytes scan again and post new log

[SafeSurf]

In addition to what Pondus posted about updating and running MBAM again and posting your log, check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0. 

Follow the directions for obtaining the OTL logs.  Post the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post).  Thank you.

[YoKenny]

After you fix the problem then please read:
Support for Windows XP Service Pack 2 ends on July 13, 2010
http://support.microsoft.com/gp/lifean31

You will need to update to SP3 as it has many Critical Updates and system performance improvements.

[Dorian Saignren]

Thankyou for your help so far, I will get on these right away.

Also, Swarnava Sengupta (a Junior Member) sent me a PM saying the following:
"please reply me back..i will tell you the solution"
I cannot reply back to him being relatively a newb on here.  Few posts and whatnot.

[Pondus]

you need 20 post before you can reply to PM`s

Update MBAM and do a new scan and see if that may fix it......and post the log

OBS: SpyBot is no good, i would absolutely replace it with SUPERAntiSpyware   http://filehippo.com/download_superantispyware/

[DavidR]

<snip>
Also, Swarnava Sengupta (a Junior Member) sent me a PM saying the following:
"please reply me back..i will tell you the solution"
I cannot reply back to him being relatively a newb on here.  Few posts and whatnot.

Even if you could reply or use the PM function I would advise against it.

Why, you don't know who they are or their experience level and this goes for anyone sending you a PM to offer the same. By helping outside of the forum only helps one person when the answer could help many others who might read this in the future or be following it now.

I can't see why they can't simply post the supposed solution in the topic/forum.

Solutions not posted on the forum don't have the benefit of others seeing what that solution might be and offer comments on said solution, especially if there are flaws in it.

This isn't to say the solution that might be offered by PM isn't going to be right, it just doesn't have any scrutiny and doesn't help others. This is why support via PM isn't advised and one of the reasons why I have the "No support PMs thanks" in my profile info as it only helps one person.

[DavidR]

Registry Defender is a rogue security program so if you have installed it, then you need to remove it.

Registry Defender Platinum is a rogue registry cleaning program that is advertised via malware such as the Vundo Trojan. When infected with Vundo, pop-ups will be displayed that state your Windows Registry is corrupted and that you should download and install Registry Defender Platinum. If you decide to download and install the program it will be configured to start automatically when your computer turns on. When running, the program will perform a scan and state that you have numerous Windows Registry problems. It will not, though, allow you to fix these problems until you purchase the program. Even if the program was actually describing legitimate problems, we would never know. This is because it does not explicitly state what the problems are. Instead it just states you have a problem and asks you to spend money to fix it. Legitimate programs in this category, on the other hand, would provide specific details as to each problem that has been detected.

http://www.bleepingcomputer.com/virus-removal/registry-defender-removal

[Dorian Saignren]

I'm running MBAM right now, and I had actually just realized I should replace with SAS... I went through my old Avast forum posts and found it listed in there and I facepalmed that second... I got Spybot because I recognized it and I didn't know what else to run.  I also plan to get Webroot Desktop Firewall again...  Alright, for the hell of it... An updated list from various sources for what I plan to use for protecting and optimizing my computer.

The first six were recommended here.
Avast! Antivirus (of course )
SUPERAntiSpyware
Malewarebytes Anti-Maleware
Webroot Desktop Firewall
HijackThis!
OTL
CCleaner  (recommended to me actually by a 'mafia' dedicated to IMVU, mainly for the purpose of cleaning out your records before trying one of their cheat methods or the surveys for free credits)
Housecall (recommended to be by my father, who has used it repeatedly and has a degree in networking)

Also, in regards to the PM, I had planned to tell them to post in here in my reply, only to find out that I couldn't reply.  A friend of mine actually followed PM 'computer repair' advice once and it was just the oppisite, and I have been using forums avidly for over a decade, knowing full well the idiots and asses that sometimes abuse the PM feature on some.  So for something this important, I'm not about to trust a PM convo.  I was just hoping they were tracking this and would reply here since I couldn't reply via PM, or perhaps someone recognized them and could offer insight into their motives.

And as far as I can tell I have not installed Regestry Defender.  The only protection programs I have installed right now are as follows.

Avast! Antivirus
Malewarebytes Anti Maleware
Spybot S&D
CCleaner
HijackThis!
And I have used Housecall three times in the past few days.
I also have BitTorrent and Gamebooster on my computer, but aside from that Anything else on here SHOULD be factory... I've been uninstalling everything I usually use to increase the speed of scans and to narrow the search.

For the record, I'll also be scanning throughly my portable drives and flash drives after this is fixed, but until I have it fixed I'm not connecting them again.

[Dorian Saignren]

Alright, attached are logs from MBAM (fully updated) and OTL.

Also, 2 things... Firstly, I don't think svchost.exe is supposed to take up 50% of my CPU ever...  And secondly, I can't access Avast forums from my computer anymore so updates will come more sporadically since I have to get to the public library simply to check it...

NOTE: I was able to get the site to work again using the 'Last Known Good Configuration' in the boot menue (where it has safemode and shit too) So these logs might need to be redone again...

[Pondus]

And secondly, I can't access Avast forums from my computer anymore

Forum Down http://forum.avast.com/index.php?topic=65645.0

Webroot Desktop Firewall

My favorit Outpost free, almost fully automatic and that is why i like it http://free.agnitum.com/

[DavidR]

And as far as I can tell I have not installed Regestry Defender. 

It is just that one of your images (viruspopup1) has registry defender displayed on it, it would normally first start as a driveby download, trying to get you download and install, etc.

So it was more precautionary, but may be worth looking through the info on the link for any associated issues/files, etc...

[essexboy]

My first recommendation would be to update to IE8 as soon as possible as IE6 has more holes than a sieve 
Once this run is complete can you let me know what your current problems are


Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  IE - HKU\S-1-5-21-3942227701-1679884542-3315011257-1006\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
  O2 - BHO: (no name) - {2804caed-1d99-4a3d-833c-c552f986b75c} - No CLSID value found.
  O2 - BHO: (no name) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - No CLSID value found.
  O2 - BHO: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
  O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\WINDOWS\system32\bae.dll (Gateway Inc.)
  O2 - BHO: (no name) - {E8DAAA30-6CAA-4b58-9603-8E54238219E2} - No CLSID value found.
  O2 - BHO: (no name) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
  O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
  O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
  O3 - HKU\S-1-5-21-3942227701-1679884542-3315011257-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
  O3 - HKU\S-1-5-21-3942227701-1679884542-3315011257-1006\..\Toolbar\WebBrowser: (no name) - {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No CLSID value found.
  O3 - HKU\S-1-5-21-3942227701-1679884542-3315011257-1006\..\Toolbar\WebBrowser: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
  O3 - HKU\S-1-5-21-3942227701-1679884542-3315011257-1006\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
  O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab (Reg Error: Key error.)
  [2010/06/12 23:50:07 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\jesterss.dll
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

[Dorian Saignren]

Here it is.  As for updating IE... well I never use it >.<  I used Firefox up until it bugged so bad it wouldn't open (I think it was the virus, not sure though) I plan to get it back when this is all taken care of.  Though which would you recommend? IE8 or Firefox?

[essexboy]

Unfortuunately it is a common misconception that if you do not use IE you do not need to update it.  IE is integral to windows and has hooks/shared files with other system elements.  So you definitely need IE8 even if you do not use it..  My personal preference is for IE, but the choice is yours   

I would like to run combofix now as a few of the BHO's have not gone

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.