[SOLVED] VIRUS/Rootkit => URL Blocked http://rk400.com/?sov=rook-s1ysoft.com

[thekochs]

I tried to access the same site and got the same results as you.  Do you receive the same results when opening Firefox or Google Chrome?

Let's take a look and see what we have

In the run box type the following

diskmgmt.msc

When disc management opens expand it so that all drives are visible
Take a screenshot and post it here

Are you able to burn a CD on another computer ?

I ran ESET again this morning.....see new log.
Also, attached is JPEG of diskmgmt.msc screen shot.
I can burn CD on other machine.....let me know what you want to do.
Also, remember I have RollBackRX installed.

[jeffce]

Hi,

Both of those look good.  ESET is picking up the old OpenCandy entry but it is in the OTL quarantine so it is fine.

Do the popups occur in other browsers than Internet Explorer? 

Run a new scan with OTL and attach the new logs. 

[thekochs]

Hi,

Both of those look good.  ESET is picking up the old OpenCandy entry but it is in the OTL quarantine so it is fine.

Do the popups occur in other browsers than Internet Explorer? 

Run a new scan with OTL and attach the new logs. 

Is there anything customer on the OTL scan you want me to do ?

I do not have any other browsers installed (never wanted to go down that path.....too many things IE makes simple for me and not big enough power user to need other browsers).

[jeffce]

Hi,

Is there anything customer on the OTL scan you want me to do ?

You know what...put the following into Custom Scans/Fixes

netsvcs
/md5start
consrv.dll
/md5stop

[thekochs]

Hi,

Is there anything customer on the OTL scan you want me to do ?

You know what...put the following into Custom Scans/Fixes

netsvcs
/md5start
consrv.dll
/md5stop

I did not get a chance to do this "customized" scan......will do/re-run soon and post. However, here is OTL scan with just using "SCAN" button as-is.

To be clear using your previous OTL instructions.........
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL using...........
netsvcs
/md5start
consrv.dll
/md5stop
Then click the Run Fix button at the top.
Let the program run unhindered.  There will be a log created when it completes that I will need in your next reply.
Reboot when it is done.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

You also mentioned above a CD.....something you want me to burn and try ?

[jeffce]

Hi,

Sorry if my instructions weren't clear enough. 

Place the following text in the code box into the Custom Scans/Fix section of OTL

Code: [Select]

netsvcs
/md5start
consrv.dll
/md5stop
Once pasted into the Custom Scans/Fix section press Run Scan.  This will produce a log that I will need in your next reply. 

Don't worry about the burning CD right now. 

[thekochs]

Hi,

Sorry if my instructions weren't clear enough. 

Place the following text in the code box into the Custom Scans/Fix section of OTL

Code: [Select]

netsvcs
/md5start
consrv.dll
/md5stop
Once pasted into the Custom Scans/Fix section press Run Scan.  This will produce a log that I will need in your next reply. 

Don't worry about the burning CD right now. 

Your instructions were clear but I wanted to make 100% sure how you wanted me to run.....since I know one wrong step in thse things can cause more issues.

Attached is OTL Log with custom items added.

Also, had idea.......
Since the Avast Blocker message says the source is C:\Program Files\Internet Explorer\ws2help.dll my thought was to view all O/S files and take a copy from other XP SP3 machine and replace.....basically deleting/replacing this help file/DLL.  I went to the folder and even when I set to view O/S files I coudl not find this DLL.  Do you think that would work if we could replace some how ?
Additionally, I see IE8 in my ADD/Remove....how about uninstalling and re-installing IE8 ?
FYI....I do have RollBackRX on this machine so I can easily save a snapshot of a current point prior to any of these and roll back to that point, even pre-O/S load.  Unlike SystemRestore it rolls back everything.....all/any changes....even O/S.

[jeffce]

Hi,

I like the idea of reinstalling IE but let me look over the logs really quick.  It may be a bit because I have to travel for work today.  I hope that isn't a problem. 

[thekochs]

Hi,

I like the idea of reinstalling IE but let me look over the logs really quick.  It may be a bit because I have to travel for work today.  I hope that isn't a problem.

Take your time......the machine is used some but not main one....thank goodness.
FYI, just downloaded and installed the new Microsoft XP Updates.....went fine....their Malicous Software update ran....guess it did not find anything.

If we decide to uninstall IE8 let me know steps.....I assume just to go into Add/Remove and hit the IE8 and select uninstall.
Assuming this goes well I'm not sure what it will leave me with ?...perhaps no Web Browser or will it leave earlier version ?
Assuming I have no web browser how/where do I download IE8 (I assume IE9+ is only for W7 ?).
I found this but only 16MB.....seems small and wondering if will work with no browser...perhaps it is an upgrade only EXE ?
http://windows.microsoft.com/en-US/internet-explorer/downloads/ie-8
Should I try IE7 then upgrade ?: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=2

As always, thx for the help.

[jeffce]

Hi,

Do you recognize the following >> C:\Program Files\DriveSitter\DriveSitter.exe
----------

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
O16 - DPF: {1455BE02-C41B-4115-B21C-32380507DC8F} file:///C:/WINDOWS/Temp/MxTextAreaU.cab (MxTextAreaU Class)
O16 - DPF: {1C18220D-EC23-48C8-B35E-857ADE9D1465} file:///C:/WINDOWS/Temp/Potential.cab (Potential Class)
O16 - DPF: {223216F6-B9FE-406D-9ED6-143FCE3A07B8} file:///C:/WINDOWS/Temp/MxLogicalTRU.cab (MxLogicalTRU Class)
O16 - DPF: {2F98EA90-EAE1-4AB5-AE89-DA073D824589} file:///C:/WINDOWS/Temp/MxBinderU.cab (MxBinderU Class)
O16 - DPF: {31538FAB-8051-4CFA-ACA4-B2668718B6F8} file:///C:/WINDOWS/Temp/MxMenuU.cab (MxMenuU Class)
O16 - DPF: {4F57AF1B-5470-47EE-A5AA-D1EA4B3C42A6} file:///C:/WINDOWS/Temp/XChartU.cab (XChartU Class)
O16 - DPF: {5C32688E-CEBE-419D-9C63-0704A2331EEC} file:///C:/WINDOWS/Temp/MxFileControlU.cab (MxFileControlU Class)
O16 - DPF: {71E7ACA0-EF63-4055-9894-229B056E9C31} file:///C:/WINDOWS/Temp/MxGridU.cab (MxGridU Class)
O16 - DPF: {84168FE7-B960-402B-BC0E-E7214D2CFC10} file:///C:/WINDOWS/Temp/MxResourceMngU.cab (MxResourceMngU Class)
O16 - DPF: {90CAA259-71ED-42CB-BEB8-95281CCF9E58} file:///C:/WINDOWS/Temp/MxTabU.cab (MxTabU Class)
O16 - DPF: {9683681E-FAD6-45F1-86B3-FD60C7101BC9} file:///C:/WINDOWS/Temp/MxReportU.cab (MxReportU Class)
O16 - DPF: {9F0AA341-1D10-4B18-B70B-6AA49CE7F5D6} file:///C:/WINDOWS/Temp/MxImageSetU.cab (MxImageSetU Class)
O16 - DPF: {AF989B7C-8AC3-40BC-B749-EB335BDFD190} file:///C:/WINDOWS/Temp/MxDataSetU.cab (MxDataSetU Class)
O16 - DPF: {B1405FE9-DEF8-4679-A3BC-C05F1330CDDD} file:///C:/WINDOWS/Temp/MxMGridU.cab (MGridU Class)
O16 - DPF: {BB4533A0-85E0-4657-9BF2-E8E7B100D47E} file:///C:/WINDOWS/Temp/MxComboU.cab (MxComboU Class)
O16 - DPF: {BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196} file:///C:/WINDOWS/Temp/teechart8.cab (TeeChart Pro Activex control v8)
O16 - DPF: {C1781C5C-0C32-40F2-8927-46FE4BCB5B87} file:///C:/WINDOWS/Temp/MxTreeU.cab (MxTreeU Class)
O16 - DPF: {D7779973-9954-464E-9708-DA774CA50E13} file:///C:/WINDOWS/Temp/MxMaskEditU.cab (MxMaskEditU Class)
O16 - DPF: {F73C0958-D8FE-43A5-9BB0-0F651C5A2BCC} file:///C:/WINDOWS/Temp/MxRadioU.cab (MxRadioU Class)

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

[thekochs]

Do you recognize the following >> C:\Program Files\DriveSitter\DriveSitter.exe

It is the SMART HDD monitoring software.....works great.....tried alot of these type programs and have used this for years.
http://www.otwesten.de/drivesitter/
Is this an issue or just a FYI question to me ?
Still want me to run OTL with about custom list ?

[jeffce]

Yes please run OTL with the fix that I provided. 

[thekochs]

Yes please run OTL with the fix that I provided. 

Here are both the logs.......after custom/fix....and after reboot then general scan.
Popup still happens.

[jeffce]

Hi,

This is a sneaky one.  I appreciate your patience. 

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{530BA5C2-9B7B-45A3-A57E-52197F6C7ABC}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\SearchScopes,DefaultScope = {530BA5C2-9B7B-45A3-A57E-52197F6C7ABC}
IE - HKCU\..\SearchScopes\{530BA5C2-9B7B-45A3-A57E-52197F6C7ABC}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ADRA_enUS471
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

----------

I see that you have Firefox on your system...do you receive the same problem when opening Firefox?

[thekochs]

I see that you have Firefox on your system...do you receive the same problem when opening Firefox?

I don't have Firefox that I know of    .....never used it or any other web browser except IE.
Since I'm not a power user like that.....thus IMHO the trade-offs of not using IE is not worth it.....for me. 
Should I somehow take this off ?

I'll run the new scan soon.....thx !