Unknown malware

By Fastler · 10 replies
Jun 9, 2010
  1. I recently managed to contract some form of malware on my computer. Symptoms being not able to open the task manager, and roughly every minute, my anti-virus Kaspersky will pop up a message saying:

    Denied: http://www.universal101.com/index.php?ad=1 (analysis according to the base of phishing web addresses), Internet Explorer

    Now, it doesn't really matter what this is, and eventually, I will follow these instructions: https://www.techspot.com/vb/topic17297.html
    But I was just wondering if there was any way to remove it with Kaspersky, it having failed to find anything in a full scan.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    You choose the wrong thread to follow. If you would like us to check for malware, please follow the steps on out Preliminary Virus and Malware Removal thread HERE.

    Then leave the logs for us to review. We can then determine the best course of action.

    Please do not use any other cleaning programs or scans while I'm helping you unless I direct you to. Do not use a registry Cleaner or make any Registry changes.
  3. Fastler

    Fastler TS Rookie Topic Starter

    Well I feel stupid. Here are the four logs, and everything I said in the OP still stands. Hope something can be done. Thanks in advance

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    That thread was first written in 2004 and updated in 2006. Newer programs that work better have been written. If it were up to me, none of those threads would even be available for viewing!

    You have had multiple rogue malware programs running on the system. They may have advised you of a 'alert' for something, with a 'click here to fix' and usually $$. What we need to do if find what's real and remove it! Malwarebytes has given you a good start.

    The site you referenced has a poor reputation. you are being protected by Kaspersky. If it's outgoing, it means there is something on your system that is attempting to access it. If it's incoming, then either you are attempting to load the site or some attempt is being made to access your system. Either way, it's a good thing that Kaspersky blocked it. I use Nod32 among other security programs, including the build-in security in Firefox, and the site gives the 'bad reputation' warning and doesn't load for me.

    I am preparing some script for you to run based on the current logs. I will add whatever is necessary based on the following 2 programs you run. Based on the amount of malware found in Mbam, I expect there will be more:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Please leave the 2 logs in your next reply.

    Please don't use any other cleaning programs or scans while I'm helping you, unless I direct you to. Don't use a Registry cleaner or make any changes in the Registry.
  5. Fastler

    Fastler TS Rookie Topic Starter

    Here you go.

    Also, an additional symptom seems to be turning the menus whenever I right click on something a sort of silvery dark grey instead of the usual light grey Just not always and I can fix it easily with the desktop properties - settings.

    Attached Files:

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    If this is something you can 'fix with desktop properties' then you should be able to set it correctly.
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      C:\Games\Flatspace II\FlatspaceII.exe	
      C:\Games\UFO Afterlight\Hatred.exe	
      C:\Program Files\Hotspot Shield\bin\openvpnas.exe	
      C:\Program Files\Registry Easy\RegEasyCleaner.exe	
      C:\Program Files\Registry Easy\RegEasyUpdate.exe	
      [start explorer]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    It's going to take me a while to finish the script. You have got a significant amount of bad entries. Go ahead with OTM.

    I you have this program, please disable it: Registry Easy
    Do not use uTorrent or any other file sharing program while I am helping you. I suspect that you have gotten a lot of downloads from torrent sites and you have gotten the malware that goes with it.
    Do not download any new programs- especially games or their related apps.
  7. Fastler

    Fastler TS Rookie Topic Starter

    All processes killed
    ========== PROCESSES ==========
    No active process named ${Memory} was found!
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Games\Flatspace II\FlatspaceII.exe moved successfully.
    C:\Games\UFO Afterlight\Hatred.exe moved successfully.
    C:\Program Files\Hotspot Shield\bin\openvpnas.exe moved successfully.
    File/Folder C:\Program Files\Registry Easy\RegEasyCleaner.exe not found.
    File/Folder C:\Program Files\Registry Easy\RegEasyUpdate.exe not found.
    C:\WINDOWS\msgrd.exe moved successfully.
    C:\WINDOWS\system32\mslsgw.exe moved successfully.
    ========== COMMANDS ==========
    User: All Users
    User: barton.steven
    ->Temp folder emptied: 1128408 bytes
    ->Temporary Internet Files folder emptied: 3137807 bytes
    ->Java cache emptied: 0 bytes
    ->Google Chrome cache emptied: 226338429 bytes
    ->Flash cache emptied: 23196 bytes
    User: BARTON~1~STE
    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    User: LogMeInRemoteUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    User: Test
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 32768 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes
    Total Files Cleaned = 220.00 mb
    OTM by OldTimer - Version log created on 06122010_121822
    Files moved on Reboot...
    Registry entries deleted on Reboot...
    Thanks for all this, and yeah, I do torrent some things, but living in Austria makes it hard if not impossible to get some programs. Besides, it is technically legal.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Whether file sharing is 'technically legal' or not, here are the reasons why you shouldn't use it:
    P2P or 'file sharing' Warning:

    Note: Even if you are using a "safe" P2P program, it is only the program that is safe.
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    Whether you live in Austria or Timbuktu, if you can access the internet yo do not need to reply on torrent downloads.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Did you plan to continue?
  10. Fastler

    Fastler TS Rookie Topic Starter

    Yes, although it seems to have subsided into the background, the virus most definitely is not gone. Any help would be greatly appreciated. I personally have no Idea what to do now, short of wiping, reformatting and reinstalling everything.
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    What's happening?

    Please check you setting for the following:
    IFEO: Image File Execution Options (IFEO) with managed debugging. IFEO works great for native + interop-debugging; this is just an issue for managed-only debugging.
    IFEO: regedit.exe - 0
    IFEO: taskmgr.exe - 0

    There was a restore point set for this> what is it?
    RP628: 12/4/10 6:30:51 PM - ??????? Dreamfall - Áåñêîíå÷íîå ïóòåøåñòâèå
    Installed Neverwinter Nights same date.

    Explain please> is this a pirated program?
    Another World 1.1b
    Another World 15th Anniversary *VERSION CDRIP*
    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103470 -"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/ Safari/532.5" -"http://web.archive.org/web/20050520235310/www.lego.com/eng/spybotics/game.asp"
    Save this as CFScript.txt, in the same location as ComboFix.exe

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    Uninstall this Java(TM) 6 Update 2 .

    There is a driver/Service running for program Sandra Lite or SandraAgentSrv. It is a (the System ANalyser, Diagnostic and Reporting Assistant) I didn't see it in your logs. Are you currently running this program? It is from Sisoftware
    Shockwave Flashplayer:
    Flash player is known for leaving behind old insecure files. It is better to clean out the entire entry, uninstall, then reinstall:
    • Download the Flash Player Uninstaller and save it to your desktop.
      Choose the Flash Player Uninstaller for you browser: http://www.adobe.com/shockwave/download/alternates/ Don't run yet.
    • Boot into Safe Mode
      [o] Restart your computer and start pressing the F8 key on your keyboard.
      [o] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    • Double-click the Flash Player Uninstaller setup on the desktop and run the uninstaller program.
    • Reboot your computer to complete the uninstall.
    • Download latest version of Flash Player HERE and save to the desktop.
    • . Double click the setup and run to install. Reboot when through.
    • Once the new version is installed, follow the directions to disable the auto-updater.
      [1] Navigate to the Shockwave Welcome page:http://www.adobe.com/shockwave/welcome/
      Note: The context menu can be accessed from any Shockwave movie if the context menu has been enabled by the author, but this URL was provided to simplify the process.
      [2] Windows: Right click the Shockwave movie.
      [3] From the drop down menu choose "Properties".
      [4] Uncheck the box next to "Automatic Update Service" to disable the auto update feature.

    Let me know what malware symptoms you still have.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...