Index ⇒ General Topics ⇒ Windows update URL blocked

[jjim]

Thanks again.
Warepire here's the latest log file

Code: Select all

http://www.mediafire.com/download.php?n25jitayzz0

I think this may contain the solution - I could not paste the log here as It contained the win update URL(and i get page not found when posting). Think this may be the problem.
Thx for the help.

[I_AM]

I'm also pretty good at Hijack This logs... they have been a bit of a hobby for me since ~2007. Specially XP logs.

If your DNS server settings have been changed this can effect what sites/domains you are able to access. Hijack This will detect if these settings have been changed.
Some malware uses this to redirect you to a fake site when you think you are visiting a genuine one, and possibly blocking security related sites.

You could try accessing it via the ip http://207.46.21.124

[Trey]

Yup, your problem's in here:

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

Similar problem: http://www.computing.net/answers/securi ... 19187.html


This looks suspicious to my untrained eye too..

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6398924296
O17 - HKLM\System\CCS\Services\Tcpip\..\{90FB1533-B867-444A-A632-92E7AEBEDDB8}: NameServer = 202.144.176.10 202.144.176.11
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

Hopefully Warepire will be able to help you through it.


And what's this process, running from drive 'E'

E:\E Downloads\CORE\MALAWARE\iexplore.exe

Also, is this right? You've only got IE6 installed?

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

[jjim]

Thx yes iexplore.exe is the renamed hijack.exe (hijack.exe was previously blocked). Running IE6 - uninstalled IE8 to try if IE6 was any better.

[Trey]

Thx yes iexplore.exe is the renamed hijack.exe (hijack.exe was previously blocked). Running IE6 - uninstalled IE8 to try if IE6 was any better.

Huh, so it's a clever bug, it blocked Winupdate, and Hijackthis. I assume it blocked Malwarebytes too? Man, I hate these f-ing things.

I worked on this one girls computer that had one of these, it took me a whole week of posting, getting advise, and removing things, scanning and posting again, to finally get it all...

I really didn't see all that much scary crap on your log though.

IE6 has many, many more security holes than IE8. I'd go with IE7. The majority of it's holes have been patched, and hackers have moved on to hacking IE8. IE7's probably the best bet.

Also most of these things are java based, uninstalling any java you've got might help hamstring this monster, and you can always reinstall.

[otiscrusher]

I hate those who make crap like that. Fcking loosers. You waste so much time to clean up your lair and the next day you could catch the same sht.

[jjim]

Finally fixed - thx to everyone's help. Thx Trey for the links - From here I read about a similar attack and used the sugggested app: ComboFix.exe.
This found a rootkit straight away and stopped all services, automatically rebooted and now I can visit Bill Gates' house.
I originally got the Virus visiting Freshwap.net - I'd been there 100's times before with no problem, but I saw that my Java was accessing the internet and disconnected immediately - had I been on dial-up it would probably have been quick enough.

I guess this particular virus would make alot of money as it took over all the windows security settings , calling itself "Windows XP security" and displaying a list of fake virus' on the PC. It stopped all browsing and running any .exe file. The only apparent way to get rid of it was to pay and register the software.

[Trey]

These things get themselfs added to ad rotation on websites, and nail a bunch of people before the malware is noticed and the ad is pulled, so you can get it from websites you totally trust. I got one from an ad downloading from Megaupload using Firefox, it tried to add things (processes) to my boot file, but failed. All it managed to do was wreck my boot file so my computer couldn't even boot. I was able to fix it, but damn it's annoying.

These things are usually java scripted, so be sure you've deleted and old outdated java installs.

Oh, and the new term for these malware fake-anti virus/reg-clearers is 'Hostageware'. They take your computer hostage and the only way to get it to stop is to pay the ransom...

[otiscrusher]

Oh, and the new term for these malware fake-anti virus/reg-clearers is 'Hostageware'. They take your computer hostage and the only way to get it to stop is to pay the ransom...

I'm calling Bruce Willis, he's an expert in this kind of business.