Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Apparant virus activity - Kaspersky warning - extra-msn.com/b/img1.html

Posted on 2009-05-07
17
Medium Priority
?
514 Views
Last Modified: 2013-11-22
Hi There, I have a laptop (xp home sp3), A number of virus, trojans and Adware have been removed with Malwarebytes as well as Kaspersky internet security.

I still have a problemn with Kaspoersky popping up a warning every 30 seconds or so when explorer is open, "...loading object http://www.extra-msn.com/b/img1.html...". If you go to this URL you will get a big warning from Kaspersky.

Obviously there is a problem but I cant find it and I dont really want to do a reinsatll at this time.

Any one have any idea what this is all about?
0
Comment
Question by:MXDEWD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 2
  • 2
  • +3
17 Comments
 
LVL 2

Expert Comment

by:FatManc
ID: 24333188
If possible please download HiJackThis and run it in Save Log mode.

Copy and paste the log file contents to this message and we
Can advise further what to do

Thanks
John
0
 
LVL 23

Expert Comment

by:ComputerTechie
ID: 24336209
Let me clear up this mistake:

You can run combofix in normal mode only not safe mode.
I would also try using Dr.Web LiveCD

CT
0
 

Expert Comment

by:illStraight
ID: 24340374
You should turn off Window XP's System Restore feature.
Here's how:
right click on My Computer -> Properties
select System Restore tab -> check "Turn off System Restore"
click Apply -> Ok

Then run Malwarebytes again.
It's also a good idea to run Trojan Remover, Spybot, or AdAware after Malwarebytes just to make sute the machine is free of the virus remnants.
0
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

 
LVL 23

Expert Comment

by:Mohamed Osama
ID: 24344168
the file img1.html in the above link is an instance of Backdoor.Aforce
this backdoor is relatively old ,but its danger comes from the fact that it  can hide itself in NTFS Alternate file stream if the infection is successful, this way it will not be visible in windows explorer, or command line, even AV programs sometimes will fail to spot it , you will need to run Malwarebytes & Combofix as suggested above and maybe other antirootkit programs to be able to fix it if you are infected, also please show us the hijack this log.

0
 
LVL 1

Author Comment

by:MXDEWD
ID: 24351509
HI every one, thanks for the comments.

Please find Hijack this log attached.
0
 
LVL 1

Author Comment

by:MXDEWD
ID: 24351703
HI There,

Downloaded and ran Combofix - Im not sure it removed anything, log attached.

I have also Run Kaspersky internet security as well (as indicated in my first post)
0
 
LVL 1

Author Comment

by:MXDEWD
ID: 24351727
Sorry, Kasperksy was blocking uploading fo files - please find them both attached below...
ComboFix-Log.txt
hijackthis.log
0
 
LVL 23

Expert Comment

by:Mohamed Osama
ID: 24357581
The hijack this log looks ok except this
 O17 - HKLM\System\CCS\Services\Tcpip\..\{696C51E6-96A4-43EB-A626-186AE32A881B}: NameServer = 202.27.158.40,202.27.156.72
are those DNS servers really yours or assigned by your ISP ?
if not , you will need to fix this
As for the Combofix log , I was not able to spot anything alarming, Fellow experts may correct me if I am wrong :)
could you please post a screenshot or the text of the exact Kaspersky pop up ?
there is a  workaround here ,which is to block the site <www.extra-msn.com> using HOSTS file.

Start>run>notepad C:\WINDOWS\system32\drivers\etc\hosts
add the below line 
127.0.0.1    www.extra-msn.com
save the file with the exact same name (hosts) and not hosts.txt




0
 
LVL 1

Author Comment

by:MXDEWD
ID: 24359220
Would rather try and fix the problem knowing it's being caused by malware. Who knows what else the dirty stinking scum is up to.  Screen shot attached.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24361990
Combofix log did not show that it removed any files but that log is the result of the 3rd CF run....

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\gpkrwrct.dat
c:\windows\system32\webcljtn.dat
c:\windows\system32\adptgfot.dat
c:\windows\system32\kbdfwidv.dat
c:\windows\system32\sdhcxnst.dat
c:\windows\system32\activeus.dat
c:\windows\system32\paqsuzb.dat
c:\windows\system32\paqsuzb.dIl
c:\docume~1\MARIAN~1\LOCALS~1\Temp\jfdcd.sys

Driver::
jfdcd

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\paqsuzb]
[-HKEY_CLASSES_ROOT\CLSID\{2BC22E14-25A0-8DB5-3D3F-5DBC89342A1A}]

------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
 
As already been asked, can we also look at the Kaspersky log.
0
 
LVL 1

Author Comment

by:MXDEWD
ID: 24368302
Sorry Kaspersky Screen shot as requested Previously
KISWarning.bmp
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24383347
Did you run the CFScript? can you attach the CF log here.
0
 
LVL 1

Author Comment

by:MXDEWD
ID: 24389679
Hi there, Sorry rpg... got side tracked on another job. CF Log attcahed.

Cheers Jason
CF-Log.txt
0
 
LVL 23

Expert Comment

by:ComputerTechie
ID: 24390081
Did you uninstall your nortan antivirus before installing Kaspersky Anti-Virus?

CT
.
0
 
LVL 1

Accepted Solution

by:
MXDEWD earned 0 total points
ID: 24391372
Hey ComputerTechie... yes I did. Ran the Nortons uninstaller tool.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
Have you ever tried to find someone you know on Facebook and searched to find more than one result with the same picture? Perhaps someone you know has told you that they have a 'facebook stalker' or someone who is 'posing as them' online and ta…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question