Solved

Apparant virus activity - Kaspersky warning - extra-msn.com/b/img1.html

Posted on 2009-05-07
17
497 Views
Last Modified: 2013-11-22
Hi There, I have a laptop (xp home sp3), A number of virus, trojans and Adware have been removed with Malwarebytes as well as Kaspersky internet security.

I still have a problemn with Kaspoersky popping up a warning every 30 seconds or so when explorer is open, "...loading object http://www.extra-msn.com/b/img1.html...". If you go to this URL you will get a big warning from Kaspersky.

Obviously there is a problem but I cant find it and I dont really want to do a reinsatll at this time.

Any one have any idea what this is all about?
0
Comment
Question by:MXDEWD
  • 7
  • 2
  • 2
  • +3
17 Comments
 
LVL 2

Expert Comment

by:FatManc
ID: 24333188
If possible please download HiJackThis and run it in Save Log mode.

Copy and paste the log file contents to this message and we
Can advise further what to do

Thanks
John
0
 
LVL 23

Expert Comment

by:ComputerTechie
ID: 24336209
Let me clear up this mistake:

You can run combofix in normal mode only not safe mode.
I would also try using Dr.Web LiveCD

CT
0
 

Expert Comment

by:illStraight
ID: 24340374
You should turn off Window XP's System Restore feature.
Here's how:
right click on My Computer -> Properties
select System Restore tab -> check "Turn off System Restore"
click Apply -> Ok

Then run Malwarebytes again.
It's also a good idea to run Trojan Remover, Spybot, or AdAware after Malwarebytes just to make sute the machine is free of the virus remnants.
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 24344168
the file img1.html in the above link is an instance of Backdoor.Aforce
this backdoor is relatively old ,but its danger comes from the fact that it  can hide itself in NTFS Alternate file stream if the infection is successful, this way it will not be visible in windows explorer, or command line, even AV programs sometimes will fail to spot it , you will need to run Malwarebytes & Combofix as suggested above and maybe other antirootkit programs to be able to fix it if you are infected, also please show us the hijack this log.

0
 
LVL 1

Author Comment

by:MXDEWD
ID: 24351509
HI every one, thanks for the comments.

Please find Hijack this log attached.
0
 
LVL 1

Author Comment

by:MXDEWD
ID: 24351703
HI There,

Downloaded and ran Combofix - Im not sure it removed anything, log attached.

I have also Run Kaspersky internet security as well (as indicated in my first post)
0
 
LVL 1

Author Comment

by:MXDEWD
ID: 24351727
Sorry, Kasperksy was blocking uploading fo files - please find them both attached below...
ComboFix-Log.txt
hijackthis.log
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 23

Expert Comment

by:Admin3k
ID: 24357581
The hijack this log looks ok except this
 O17 - HKLM\System\CCS\Services\Tcpip\..\{696C51E6-96A4-43EB-A626-186AE32A881B}: NameServer = 202.27.158.40,202.27.156.72
are those DNS servers really yours or assigned by your ISP ?
if not , you will need to fix this
As for the Combofix log , I was not able to spot anything alarming, Fellow experts may correct me if I am wrong :)
could you please post a screenshot or the text of the exact Kaspersky pop up ?
there is a  workaround here ,which is to block the site <www.extra-msn.com> using HOSTS file.

Start>run>notepad C:\WINDOWS\system32\drivers\etc\hosts
add the below line 
127.0.0.1    www.extra-msn.com
save the file with the exact same name (hosts) and not hosts.txt




0
 
LVL 1

Author Comment

by:MXDEWD
ID: 24359220
Would rather try and fix the problem knowing it's being caused by malware. Who knows what else the dirty stinking scum is up to.  Screen shot attached.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24361990
Combofix log did not show that it removed any files but that log is the result of the 3rd CF run....

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\gpkrwrct.dat
c:\windows\system32\webcljtn.dat
c:\windows\system32\adptgfot.dat
c:\windows\system32\kbdfwidv.dat
c:\windows\system32\sdhcxnst.dat
c:\windows\system32\activeus.dat
c:\windows\system32\paqsuzb.dat
c:\windows\system32\paqsuzb.dIl
c:\docume~1\MARIAN~1\LOCALS~1\Temp\jfdcd.sys

Driver::
jfdcd

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\paqsuzb]
[-HKEY_CLASSES_ROOT\CLSID\{2BC22E14-25A0-8DB5-3D3F-5DBC89342A1A}]

------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
 
As already been asked, can we also look at the Kaspersky log.
0
 
LVL 1

Author Comment

by:MXDEWD
ID: 24368302
Sorry Kaspersky Screen shot as requested Previously
KISWarning.bmp
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24383347
Did you run the CFScript? can you attach the CF log here.
0
 
LVL 1

Author Comment

by:MXDEWD
ID: 24389679
Hi there, Sorry rpg... got side tracked on another job. CF Log attcahed.

Cheers Jason
CF-Log.txt
0
 
LVL 23

Expert Comment

by:ComputerTechie
ID: 24390081
Did you uninstall your nortan antivirus before installing Kaspersky Anti-Virus?

CT
.
0
 
LVL 1

Accepted Solution

by:
MXDEWD earned 0 total points
ID: 24391372
Hey ComputerTechie... yes I did. Ran the Nortons uninstaller tool.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

OVERVIEW This guide provides information on the process performed when the Symantec Endpoint Protection (SEP) client checks in with the Symantec Endpoint Protection Manager (SEPM). AUDIENCE Information Technology personnel responsible for suppo…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now