Author Topic: [SOLVED] VIRUS/Rootkit => URL Blocked http://rk400.com/?sov=rook-s1ysoft.com  (Read 33802 times)

0 Members and 1 Guest are viewing this topic.

thekochs

  • Guest
I see that you have Malwarebytes already on your computer.  Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.

Jeff, thx.

I have MBAM installed but not enabled as realtime so it won't conflict with Avast which is always on.
I'll run a Quick Scan and post but you saw above in thread a ran a FULL scan in MBAM prior ?...nothing found.

Also, how were the new OTL scan logs after your script you had me run with FIX ?
As FYI, I no longer have this popping up but to be honest this happened a little while back.....was gone for day or so then back again.

Lastly, did you see my aswMBR log above ?....it had this item.....problem ?
12:50:18.812    Disk 0 MBR [possible unknown bootkit@MBR]  **ROOTKIT**
I am taking the family on Easter weekend to relatives so may be Monday before I can run the ESET Online scanner.

jeffce

  • Guest
Hi,

Have a great time with your family over Easter.  It is no problem to leave this open.  :)
---------

I like to have Malwarebytes run again towards the end in case we shook anything else loose. 
---------

The OTL logs were looking pretty good.  With Malwarebytes and ESET we are checking for anything left lurking. 
--------

The entry that you saw in the aswMBR log is directly related to the RollBack RX on your system.  The program itself uses some technology that is seen as a rootkit but it is not actually.  :)

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
Quote
I have MBAM installed but not enabled as realtime so it won't conflict with Avast which is always on.
it usually dont.......never happend to me

if it does....this is how to avoid it - section K

http://forums.malwarebytes.org/index.php?s=54147ebdfdd762abba4d26e1e564e442&showtopic=10138&view=findpost&p=417798

thekochs

  • Guest
I see that you have Malwarebytes already on your computer.  Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.

Jeff, thx.

I have MBAM installed but not enabled as realtime so it won't conflict with Avast which is always on.
I'll run a Quick Scan and post but you saw above in thread a ran a FULL scan in MBAM prior ?...nothing found.

Also, how were the new OTL scan logs after your script you had me run with FIX ?
As FYI, I no longer have this popping up but to be honest this happened a little while back.....was gone for day or so then back again.

Lastly, did you see my aswMBR log above ?....it had this item.....problem ?
12:50:18.812    Disk 0 MBR [possible unknown bootkit@MBR]  **ROOTKIT**
I am taking the family on Easter weekend to relatives so may be Monday before I can run the ESET Online scanner.

Here is the MBAM Quick Scan.....nothing found.
I'm calling it quits and will run the ESET Online Scanner Monday......have a great weekend !!!

jeffce

  • Guest
Quote
I'm calling it quits and will run the ESET Online Scanner Monday......have a great weekend !!!
You have a great weekend too.  If I happen to overlook the log on Monday please send me a PM.  :)

thekochs

  • Guest
Well, left the machine alone for the weekend and Avast did its regular scans with no issues found.
Also, as stated above the popup went away for day or so....has done this in the past too but came back.
This morning I opened IE8 and as soon as Google Home page came up the popup did....three times in roughly one minute.
It seems it does 3 attempts eash time I go into IE8 so I waited for the 3rd then went to ESET and followed your instructions.
I disabled Avast Shields prior to running but after the three popups.
The online scanner ran for roughly one hour and found Win32\OpenCandy applicaton threat.
I did not select remove found threats as told.
I also exited without unisntalling app in case I need to go back.
Attached is log in ANSI.

Also, I know there are other programs like ComboFix, Kasperky Rescue CD10, TDSSKiller but I'll await your guidance.

Please let me know next steps ?

Thx again.

jeffce

  • Guest
Hi,

I trust you had a nice weekend?  :)

What is the popup saying?
----------

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:Files
C:\Program Files\MediaInfo\OpenCandy\OCSetupHlp.dll

:Commands
[purity]
[emptytemp]
[resethosts]
[clearallrestorepoints]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered.  There will be a log created when it completes that I will need in your next reply.  Reboot when it is done.
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

thekochs

  • Guest
What is the popup saying?

I've attached a PDF of the screen capture (pic) of the Avast message box.

I'll wait to run OTL until you can review.

jeffce

  • Guest
Hi,

After looking at that it seems that avast was protecting you from a bad website or possibly something was on the website itself.  I don't think that is coming from within your system.  Go ahead with OTL.  :)

thekochs

  • Guest
Hi,

After looking at that it seems that avast was protecting you from a bad website or possibly something was on the website itself.  I don't think that is coming from within your system.  Go ahead with OTL.  :)

Attached is the OTL log from the custom scan.
The popup still comes up as I rebooted and posted to this thread.
Also, I know Avast is blocking the site but I only open Internet Explorer and it comes up...I do not navigate or even touch anything.
Thus, something seems to be in the system as soon as IE8 comes up it tries to access the site.
I've tried to supress the message in Avast's Site Blocking via http://rk400*.* but does not stop the message.
However, I know this would be a band aid.....not resolving the baseline issue/virus.

Question....ESET Online scanner found Win32\OpenCandy applicaton threat.
Should I run this scanner with the remove threat option ?

Let me know your thoughts and next-steps ?

Thank you again for all the help and patience.

Regards.




jeffce

  • Guest
Hi,

Let's see what this may reveal...

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

thekochs

  • Guest
Hi,

Let's see what this may reveal...

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Attached is picture & log of what TDSSKiller found.....I recognize both these.....they are part of Macrum Reflect's imaging software.  The pssnap is alternative to the Microsoft VSS service, the other is the Reflect service......thus, I did SKIP (note there was no "cure" option......only quarantine or delete...or skip)

Question, is there a reason you did not want me in the ESET Online scanner that found Win32\OpenCandy applicaton threat to run with remove threat option ?

« Last Edit: April 09, 2012, 10:52:07 PM by thekochs »

jeffce

  • Guest
Hi,

Quote
is there a reason you did not want me in the ESET Online scanner that found Win32\OpenCandy applicaton threat to run with remove threat option ?
Sometimes ESET will remove an entry that does not actually need to go and that is why we ask that you don't remove them.  I removed it with OTL.  :)

thekochs

  • Guest
Hi,

Quote
is there a reason you did not want me in the ESET Online scanner that found Win32\OpenCandy applicaton threat to run with remove threat option ?
Sometimes ESET will remove an entry that does not actually need to go and that is why we ask that you don't remove them.  I removed it with OTL.  :)

Oh....OK.

So, not sure where we are..........  :-\
I'm no expert but seems the computer has a virus that every time you open Internet Explorer trys to access the http://rk400.com/?sov=rook-s1ysoft.com site.....which Avast promptly blocks.  It seems to do this three times in succession then no more until you close out of IE and re-open.  I have no idea the virus but I'm also puzzled I canot block this attempt via Avast Site Blocker by putting in the string  http://rk400*.* into Avast's site blocker.....perhaps I am doing this wrong ?  I would assume this Avast site blocking option/feature would block the attempt so I did not even see the popup.  As stated, this would be a band-aid and not solve the underlying issue.....even mask it.....but if this is a non-lethal virus we cannot find perhaps the solution if we can get it to work ?

I don't want to give up but I've had two instances where the popup did not come up for couple days.....one was after the first OTL custom scan you asked me to do....one prior but cannot remember what I had done.  Not sure if there is a link here anyway....but it did stop for coupple days....seems odd.

Do you want me to re-run ESET as before to see what comes up ?
Any others to try ?
« Last Edit: April 09, 2012, 11:47:34 PM by thekochs »

jeffce

  • Guest
I tried to access the same site and got the same results as you.  Do you receive the same results when opening Firefox or Google Chrome?

Let's take a look and see what we have

In the run box type the following

diskmgmt.msc

When disc management opens expand it so that all drives are visible
Take a screenshot and post it here

Are you able to burn a CD on another computer ?