IE v6.0 launches by itself then downloads more malware

[foofer]

Hi
Can anyone help me with ridding my machine from the following malware , I'm running W XP home edition with IE version 6.0 .
On every startup of my PC IE launches by itself in the background and visits a site called whataboutarabit.com . Here it seemingly downloads a dialer or I presume it's a dialer as I repeatedly get new dialup connections appearing , with the following program sometimes running in the background 1189238981.dat.exe . I have run HJT several times and have deleted 1 or 2 entries but with no success . I have used SS&D and AVG Anti-spyware but they have found very little . I have attatched logs from each one . I do not want to reformat and re-install as I have to much software to get up and running again , if I can avoid it .

Thanks and regards to all !

 

[Rik]

Your system has been hijacked. I am currently in traing for malware removal and so cannot guarantee removal.

I can try to help or you can wait until Howard is about, the choice is yours.


This thread is for the use of foofer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[foofer]

Thanks rik
I'll hold on for a few days and see if there's any reply from howard , failing this I'll start backing up and we can have a go at it together .

take care !

 

[Rik]

I know enough to not harm your system in any way but not enough to be 100% sure of removing the threat.

I respect your decision.

Howard has faith in me but as yet i dont have faith in myself.

I have just traced an ip address in your log to "dns1-it.swip.net" based in sweden.


This thread is for the use of foofer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[howard_hopkinso]

Hello and welcome to Techspot.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O15 - Trusted Zone: *.whataboutarabit.com

Click on the fix checked button.

Close HJT and reboot your system.

Post the Avenger log as well as a fresh HJT log.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of foofer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[foofer]

Hi Howard
Thanks for the quick reply .

I did as you said and have the following results. I just want to add that when I ran HJT entry Q 15 was present , I deleted it and rebooted as you instructed .I then ran HJT once again and this is file currently attatched.
As for the AVG anti rootkit it said no rootkit found ofter running the in depth analysis . ( don't know where to find it's log file if any ? )

Thanks

 

[howard_hopkinso]

Download and install DrWebCureit:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
http://spywareinfo.dk/download/drweb-cureit.exe to your desktop.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver-
Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select -Delete
Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan your drive(s), say yes to all

After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.

Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

Attach the DrWeb.csv log as well as a fresh HJT log.

Regards Howard

This thread is for the use of foofer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[foofer]

Hi Howard
Having trouble with the drweb-cureit application , it says the license has expired and I can't seem to get it to run in any way is there another tool available ?

 

[howard_hopkinso]

I`m not sure what the problem is with DrWebCureit:

Delete the version you have now and redownload it. Run it from normal mode and see if that helps.

Regards Howard

Edit: If the above doesn`t help, try this.

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

Post a fresh HJT log.


This thread is for the use of foofer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[foofer]

No luck with DrWeb-cureit went for the other option .
Here is the latest HJT log.

Thanks

 

[howard_hopkinso]

Your HJT log is clean.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of foofer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[foofer]

Hi
Shortly after posting the finally clean HJT log and turning off the system restore etc rebooting and then re-enabling it , I looked in the Task manager and there was an IE running in the background again . I ran HJT and the infamous Q15 entry was present once again.
This is a log file from this evening's scan.
What do you think ?
best regards

 

[howard_hopkinso]

I can`t see any HJT log. Run the DelO15Domains.inf fix again and see if it helps.

Regards Howard

This thread is for the use of foofer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[foofer]

Howard or Ric

Can't seem to attatch any .txt or .log files created today ,
Is there a problem with attatchments this evening or is my machine
on the brink of colapse ?
Regards
foofer

 

[howard_hopkinso]

I have removed all your other log files, perhaps that will help.

Regards Howard

This thread is for the use of foofer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[foofer]

Hi Howard
Remembered to attatch a log file this evening .
I have found that shortly after running the DelO15Domains.inf fix there is no IE launching at startup as before . If I then run HJT the log has no q15 entry , however after few minutes it seems to revive and IE launches again.
Running HJT then gives the attatched log file results .
I ran it this time with sys restore disabled.
Some other info is that I have this entry in the startup list in the msconfig utility .I have disabled it for some time .

1189238981---Cocuments and settings\username\localsettings\temp\
189238981.dat.exe
----Software\microsoft\windows\current version \run
If it appears a little strange it's because I translated it as I have my machine set up in the Italian language

Regards
foofer

 

[howard_hopkinso]

Let`s give this a try.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Run HJT and fix the 015 trusted zone entry(if there).

Reboot your computer.

Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

Regards Howard

This thread is for the use of foofer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[foofer]

Hi Howard
These are the results of the two programs.
Let me know what you think ? .
Thanks

 

[howard_hopkinso]

Mmm, not good.

See if you can manually delete the file.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

189238981.dat.exe

Close task manager.

Locate and delete the following bold files and/or directories(if there).

189238981.dat.exe<Search your system for this file and delete all instances found.

Fix the 015 entry in HJT.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

This thread is for the use of foofer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[howard_hopkinso]

I may have found a fix for your 015 troubles.

Please do the following exactly.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Regards Howard

This thread is for the use of foofer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[foofer]

Hi
I did first as you said in safe mode with the manual search several times but nothing was found .I then ran HJT and the q15 was there and I deleted it.
After restarting I ran HJT and found the entry back again .
I have attatched the log of this report.
Then with regards to the AWF tool I carried out the procedure and the file is in the attatchment.
Thanks

 

[howard_hopkinso]

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment..

C:\ATI-CPanel\bak\atiptaxx.exe
C:\Programmi\SymNetDrv\bak\SNDMon.exe
C:\Programmi\FlyNet\bak\CnxDslTb.exe
C:\Programmi\SymNetDrv\bak\SNDMon.exe
C:\Programmi\Ahead\InCD\bak\Error.log
C:\Programmi\Ahead\InCD\bak\InCD.exe
C:\Programmi\File comuni\Symantec Shared\bak\ccApp.exe
C:\Programmi\Java\j2re1.4.2_03\bin\bak\jusched.exe

Then, do the following.

Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.

Navigate to the following reg keys and delete them.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\whataboutadog.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\whataboutarabit.com

Don`t worry if one or more keys aren`t there.

Close regedit and reboot your computer.

Let me know the results and post a fresh HJT log.

Regards Howard

This thread is for the use of foofer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[foofer]

Hi Howard
Did as you said.
Only the first of the two entries were present in the registry which i deleted.
The results are bellow.
I want to add that normally while I post the results back to you I have the task manager running and within a minute or two I pick up the second invisible IE window launching , but this is the first time that nothing has happened and some 10min have passed now! , lets see if it holds.
Is there anything else I need to do ?
Regards
foofer

 

[howard_hopkinso]

Everything looks fine there.

Hopefully, that`ll be an end to the matter.

I`ll keep my fingers crossed for you.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of foofer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[foofer]

Hi Howard
The system looks good no funnies running at startup even after several reboots.
One last question , does the entry in the config utility under startup
ie. the 1129238981 entry pose any risk and can it be left there . It's unchecked at the moment ?

Just want to say thanks so much for your time and effort , look forward to
visiting Techspot regularly .
Regards
foofer