[SOLVED] VIRUS/Rootkit => URL Blocked http://rk400.com/?sov=rook-s1ysoft.com

[thekochs]

I didn't want to repost this entire thread so here is the link: http://forum.avast.com/index.php?topic=95962.0
At this point I'm trying to figure out if there is malware or virus generating this request and if not how to supress the message ?
You can see from referenced thread the system appears clean and this pops up as soon as I open IE8.

Thx.

[Pondus]

Follow this guide and attach the logs from malwarebytes quick scan / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0


when done one of the malware removal specialists will help you.....you may have to wait untill tomorrow night

[thekochs]

Thx.....I will have to set aside some time and download and run all scans to post.

I'll repost details in few days.

Regards.

[thekochs]

Here are the MBAM & OTL logs.
I have the Avast (which shows no threats) but is 2MB....guess I can't upload that file ?

[thekochs]

Here are the RK logs......

The popup still happens after I followed the instructions per the link and rebooted PC.

[thekochs]

Here is aswMBR log.

I do have RollBack RX installed on this computer and I know it changes the MBR so I did not try to "fix" by this replacing a new MBR.
I would need to uninstall RX first then proceed with fix.

Please help on any suggestions............I'm at my wits end.....frustrating.

Thx !

[thekochs]

Essexboy,

I have not done aything else but have been reading on ComboFix, TDSSKiller & Kasperky Resue Disc 10.
I'll wait for instructions from first.

Also, key to note...........

* I do have Macrium Reflect on the machine so will take full image prior.
* I also have Horizon DataSys RollBack RX(http://www.horizondatasys.com/169614.ihtml) installed which is great program but machine was infected past and past snapshot point.  This program does alter the MBR and the state of the physical HDD is the baseline....not all the new edits/changes.  Also, they warn of software A/V programs that load prior to their POST console driver load or very low level stuff.....guess can cause issues.  Thus, I'd probably need to uninstall this first and have the XP Pro SP3 machine in a normal Windows O/S state....no RollBackRX in MBR.

Thx.

[jeffce]

Hi,

The aswMBR log looks ok...let me look over the other logs and I will return as quickly as I can.  For the time being could you let me know exactly what symptoms you are experiencing that makes you think it might be malware. 

[jeffce]

Hi,

It seems you had Norton/Symantec on your system at one time and some of the files are still hanging around.  Download and run the tool here >> ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe to remove all of Symantec.
----------

Please download and run ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {530BA5C2-9B7B-45A3-A57E-52197F6C7ABC}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=843&query={SearchTerms}&invocationType=tb50-ie-dlink-chromesbox-en-us
O1 - Hosts: 192.168.1.103 NPI99CF7E
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O15 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..Trusted Domains: shift.co.kr ([www] http in Trusted sites)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2007/02/18 14:42:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint

:Files
ipconfig /flushdns /c

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"=-
"2869:TCP"=-
"139:TCP"=
"445:TCP"=
"137:UDP"=
"138:UDP"=
"10243:TCP"=-
"10280:UDP"=-
"10281:UDP"=-
"10282:UDP"=-
"10283:UDP"=-
"10284:UDP"=-
"3389:TCP"=-
"5985:TCP"=-
"80:TCP"=-

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered.  There will be a log created when it completes that I will need in your next reply.  Reboot when it is done.
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

[thekochs]

Hi,

The aswMBR log looks ok...let me look over the other logs and I will return as quickly as I can.  For the time being could you let me know exactly what symptoms you are experiencing that makes you think it might be malware. 

What happens is every time I open IE8 the Avast Web Shield pops-up that URL Blocked http://rk400.com/?sov=rook-s1ysoft.com, THREAT Detected and Blocked.  Looking on the web this appears to be a bad site...known.  This Avast popup happens two-three times then stops.  The thing is I've done nothing but open IE8.....Google or Yahoo home page....nothing typed in.  I'm glad Avast blocks it but something in the PC is seeing explorer come up and is trying to access the site.....thus, I assume a Malware or Rootkit type thing.  Does that make sense ?

[thekochs]

Hi,

It seems you had Norton/Symantec on your system at one time and some of the files are still hanging around.  Download and run the tool here >> ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe to remove all of Symantec.
----------

Please download and run ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {530BA5C2-9B7B-45A3-A57E-52197F6C7ABC}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=843&query={SearchTerms}&invocationType=tb50-ie-dlink-chromesbox-en-us
O1 - Hosts: 192.168.1.103 NPI99CF7E
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O15 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..Trusted Domains: shift.co.kr ([www] http in Trusted sites)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2007/02/18 14:42:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint

:Files
ipconfig /flushdns /c

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"=-
"2869:TCP"=-
"139:TCP"=
"445:TCP"=
"137:UDP"=
"138:UDP"=
"10243:TCP"=-
"10280:UDP"=-
"10281:UDP"=-
"10282:UDP"=-
"10283:UDP"=-
"10284:UDP"=-
"3389:TCP"=-
"5985:TCP"=-
"80:TCP"=-

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered.  There will be a log created when it completes that I will need in your next reply.  Reboot when it is done.
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

Thx....I'll try this tommorow....late here on East Coast and I have early morning appt !

I've used ERUNT for years.....like it alot......think when I cleaned this PC origonally I forgot to put it back on......I'll do that.
Also, thx for the cleaner link on Norton.....I used to have it then AVG, now Avast.  Not to be negative to Norton or AVG but they went from great products to total bloat-wear on my PCs......I love Avast.....wow !

[jeffce]

Hi,

Take your time with running the fix. 

Not to be negative to Norton or AVG but they went from great products to total bloat-wear on my PCs......I love Avast.....wow !

Let's make sure all of AVG is removed as well.  Download and run the removal tool found here >> http://download.avg.com/filedir/util/support/avg_remover_stf_x86_2011_1322.exe

[thekochs]

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {530BA5C2-9B7B-45A3-A57E-52197F6C7ABC}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=843&query={SearchTerms}&invocationType=tb50-ie-dlink-chromesbox-en-us
O1 - Hosts: 192.168.1.103 NPI99CF7E
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O15 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..Trusted Domains: shift.co.kr ([www] http in Trusted sites)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2007/02/18 14:42:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint

:Files
ipconfig /flushdns /c

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"=-
"2869:TCP"=-
"139:TCP"=
"445:TCP"=
"137:UDP"=
"138:UDP"=
"10243:TCP"=-
"10280:UDP"=-
"10281:UDP"=-
"10282:UDP"=-
"10283:UDP"=-
"10284:UDP"=-
"3389:TCP"=-
"5985:TCP"=-
"80:TCP"=-

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered.  There will be a log created when it completes that I will need in your next reply.  Reboot when it is done.
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

OK.....AVG & Norton cleaners run.....thx !!!!

I also attached is the log file after running the custom scan with your paste code.  Note, I DID check LOP Check & Purity for this run since you said for the next not to do so....so my assumption was you wanted me to on first run with the code.

[thekochs]

• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

Here is the scan log after.......LOP Check & Purity not checked.

Thx in advance for the help !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[jeffce]

Hi,

Thx in advance for the help !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

You are more than welcome. 
--------------

Malwarebytes

I see that you have Malwarebytes already on your computer.  Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

• Please go here then click on:
  

• Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.[/quote]

• Select the option YES, I accept the Terms of Use then click on:
  
• When prompted allow the Add-On/Active X to install.
  
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  
• Now click on Advanced Settings and select the following:
  
  • Scan for potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth Technology
    
• Now click on:
  
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  
• When completed the Online Scan will begin automatically.
  
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  
• Now click on:
  
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  
• Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
----------

In your next reply let me know how your system is running and attach the logs made by Malwarebytes and ESET online scanner.