• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 520
  • Last Modified:

Apparant virus activity - Kaspersky warning - extra-msn.com/b/img1.html

Hi There, I have a laptop (xp home sp3), A number of virus, trojans and Adware have been removed with Malwarebytes as well as Kaspersky internet security.

I still have a problemn with Kaspoersky popping up a warning every 30 seconds or so when explorer is open, "...loading object http://www.extra-msn.com/b/img1.html...". If you go to this URL you will get a big warning from Kaspersky.

Obviously there is a problem but I cant find it and I dont really want to do a reinsatll at this time.

Any one have any idea what this is all about?
0
MXDEWD
Asked:
MXDEWD
  • 7
  • 2
  • 2
  • +3
1 Solution
 
FatMancCommented:
If possible please download HiJackThis and run it in Save Log mode.

Copy and paste the log file contents to this message and we
Can advise further what to do

Thanks
John
0
 
ComputerTechieCommented:
Let me clear up this mistake:

You can run combofix in normal mode only not safe mode.
I would also try using Dr.Web LiveCD

CT
0
 
illStraightCommented:
You should turn off Window XP's System Restore feature.
Here's how:
right click on My Computer -> Properties
select System Restore tab -> check "Turn off System Restore"
click Apply -> Ok

Then run Malwarebytes again.
It's also a good idea to run Trojan Remover, Spybot, or AdAware after Malwarebytes just to make sute the machine is free of the virus remnants.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
Mohamed OsamaSenior IT ConsultantCommented:
the file img1.html in the above link is an instance of Backdoor.Aforce
this backdoor is relatively old ,but its danger comes from the fact that it  can hide itself in NTFS Alternate file stream if the infection is successful, this way it will not be visible in windows explorer, or command line, even AV programs sometimes will fail to spot it , you will need to run Malwarebytes & Combofix as suggested above and maybe other antirootkit programs to be able to fix it if you are infected, also please show us the hijack this log.

0
 
MXDEWDAuthor Commented:
HI every one, thanks for the comments.

Please find Hijack this log attached.
0
 
MXDEWDAuthor Commented:
HI There,

Downloaded and ran Combofix - Im not sure it removed anything, log attached.

I have also Run Kaspersky internet security as well (as indicated in my first post)
0
 
MXDEWDAuthor Commented:
Sorry, Kasperksy was blocking uploading fo files - please find them both attached below...
ComboFix-Log.txt
hijackthis.log
0
 
Mohamed OsamaSenior IT ConsultantCommented:
The hijack this log looks ok except this
 O17 - HKLM\System\CCS\Services\Tcpip\..\{696C51E6-96A4-43EB-A626-186AE32A881B}: NameServer = 202.27.158.40,202.27.156.72
are those DNS servers really yours or assigned by your ISP ?
if not , you will need to fix this
As for the Combofix log , I was not able to spot anything alarming, Fellow experts may correct me if I am wrong :)
could you please post a screenshot or the text of the exact Kaspersky pop up ?
there is a  workaround here ,which is to block the site <www.extra-msn.com> using HOSTS file.

Start>run>notepad C:\WINDOWS\system32\drivers\etc\hosts
add the below line 
127.0.0.1    www.extra-msn.com
save the file with the exact same name (hosts) and not hosts.txt




0
 
MXDEWDAuthor Commented:
Would rather try and fix the problem knowing it's being caused by malware. Who knows what else the dirty stinking scum is up to.  Screen shot attached.
0
 
rpggamergirlCommented:
Combofix log did not show that it removed any files but that log is the result of the 3rd CF run....

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\gpkrwrct.dat
c:\windows\system32\webcljtn.dat
c:\windows\system32\adptgfot.dat
c:\windows\system32\kbdfwidv.dat
c:\windows\system32\sdhcxnst.dat
c:\windows\system32\activeus.dat
c:\windows\system32\paqsuzb.dat
c:\windows\system32\paqsuzb.dIl
c:\docume~1\MARIAN~1\LOCALS~1\Temp\jfdcd.sys

Driver::
jfdcd

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\paqsuzb]
[-HKEY_CLASSES_ROOT\CLSID\{2BC22E14-25A0-8DB5-3D3F-5DBC89342A1A}]

------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
 
As already been asked, can we also look at the Kaspersky log.
0
 
MXDEWDAuthor Commented:
Sorry Kaspersky Screen shot as requested Previously
KISWarning.bmp
0
 
rpggamergirlCommented:
Did you run the CFScript? can you attach the CF log here.
0
 
MXDEWDAuthor Commented:
Hi there, Sorry rpg... got side tracked on another job. CF Log attcahed.

Cheers Jason
CF-Log.txt
0
 
ComputerTechieCommented:
Did you uninstall your nortan antivirus before installing Kaspersky Anti-Virus?

CT
.
0
 
MXDEWDAuthor Commented:
Hey ComputerTechie... yes I did. Ran the Nortons uninstaller tool.
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 7
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now