Solved

Apparant virus activity - Kaspersky warning - extra-msn.com/b/img1.html

Posted on 2009-05-07
17
504 Views
Last Modified: 2013-11-22
Hi There, I have a laptop (xp home sp3), A number of virus, trojans and Adware have been removed with Malwarebytes as well as Kaspersky internet security.

I still have a problemn with Kaspoersky popping up a warning every 30 seconds or so when explorer is open, "...loading object http://www.extra-msn.com/b/img1.html...". If you go to this URL you will get a big warning from Kaspersky.

Obviously there is a problem but I cant find it and I dont really want to do a reinsatll at this time.

Any one have any idea what this is all about?
0
Comment
Question by:MXDEWD
  • 7
  • 2
  • 2
  • +3
17 Comments
 
LVL 2

Expert Comment

by:FatManc
ID: 24333188
If possible please download HiJackThis and run it in Save Log mode.

Copy and paste the log file contents to this message and we
Can advise further what to do

Thanks
John
0
 
LVL 23

Expert Comment

by:ComputerTechie
ID: 24336209
Let me clear up this mistake:

You can run combofix in normal mode only not safe mode.
I would also try using Dr.Web LiveCD

CT
0
 

Expert Comment

by:illStraight
ID: 24340374
You should turn off Window XP's System Restore feature.
Here's how:
right click on My Computer -> Properties
select System Restore tab -> check "Turn off System Restore"
click Apply -> Ok

Then run Malwarebytes again.
It's also a good idea to run Trojan Remover, Spybot, or AdAware after Malwarebytes just to make sute the machine is free of the virus remnants.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 23

Expert Comment

by:Admin3k
ID: 24344168
the file img1.html in the above link is an instance of Backdoor.Aforce
this backdoor is relatively old ,but its danger comes from the fact that it  can hide itself in NTFS Alternate file stream if the infection is successful, this way it will not be visible in windows explorer, or command line, even AV programs sometimes will fail to spot it , you will need to run Malwarebytes & Combofix as suggested above and maybe other antirootkit programs to be able to fix it if you are infected, also please show us the hijack this log.

0
 
LVL 1

Author Comment

by:MXDEWD
ID: 24351509
HI every one, thanks for the comments.

Please find Hijack this log attached.
0
 
LVL 1

Author Comment

by:MXDEWD
ID: 24351703
HI There,

Downloaded and ran Combofix - Im not sure it removed anything, log attached.

I have also Run Kaspersky internet security as well (as indicated in my first post)
0
 
LVL 1

Author Comment

by:MXDEWD
ID: 24351727
Sorry, Kasperksy was blocking uploading fo files - please find them both attached below...
ComboFix-Log.txt
hijackthis.log
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 24357581
The hijack this log looks ok except this
 O17 - HKLM\System\CCS\Services\Tcpip\..\{696C51E6-96A4-43EB-A626-186AE32A881B}: NameServer = 202.27.158.40,202.27.156.72
are those DNS servers really yours or assigned by your ISP ?
if not , you will need to fix this
As for the Combofix log , I was not able to spot anything alarming, Fellow experts may correct me if I am wrong :)
could you please post a screenshot or the text of the exact Kaspersky pop up ?
there is a  workaround here ,which is to block the site <www.extra-msn.com> using HOSTS file.

Start>run>notepad C:\WINDOWS\system32\drivers\etc\hosts
add the below line 
127.0.0.1    www.extra-msn.com
save the file with the exact same name (hosts) and not hosts.txt




0
 
LVL 1

Author Comment

by:MXDEWD
ID: 24359220
Would rather try and fix the problem knowing it's being caused by malware. Who knows what else the dirty stinking scum is up to.  Screen shot attached.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24361990
Combofix log did not show that it removed any files but that log is the result of the 3rd CF run....

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\gpkrwrct.dat
c:\windows\system32\webcljtn.dat
c:\windows\system32\adptgfot.dat
c:\windows\system32\kbdfwidv.dat
c:\windows\system32\sdhcxnst.dat
c:\windows\system32\activeus.dat
c:\windows\system32\paqsuzb.dat
c:\windows\system32\paqsuzb.dIl
c:\docume~1\MARIAN~1\LOCALS~1\Temp\jfdcd.sys

Driver::
jfdcd

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\paqsuzb]
[-HKEY_CLASSES_ROOT\CLSID\{2BC22E14-25A0-8DB5-3D3F-5DBC89342A1A}]

------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
 
As already been asked, can we also look at the Kaspersky log.
0
 
LVL 1

Author Comment

by:MXDEWD
ID: 24368302
Sorry Kaspersky Screen shot as requested Previously
KISWarning.bmp
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24383347
Did you run the CFScript? can you attach the CF log here.
0
 
LVL 1

Author Comment

by:MXDEWD
ID: 24389679
Hi there, Sorry rpg... got side tracked on another job. CF Log attcahed.

Cheers Jason
CF-Log.txt
0
 
LVL 23

Expert Comment

by:ComputerTechie
ID: 24390081
Did you uninstall your nortan antivirus before installing Kaspersky Anti-Virus?

CT
.
0
 
LVL 1

Accepted Solution

by:
MXDEWD earned 0 total points
ID: 24391372
Hey ComputerTechie... yes I did. Ran the Nortons uninstaller tool.
0

Featured Post

ScreenConnect 6.0 Free Trial

At ScreenConnect, partner feedback doesn't fall on deaf ears. We collected partner suggestions off of their virtual wish list and transformed them into one game-changing release: ScreenConnect 6.0. Explore all of the extras and enhancements for yourself!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question