• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 522
  • Last Modified:

Apparant virus activity - Kaspersky warning - extra-msn.com/b/img1.html

Hi There, I have a laptop (xp home sp3), A number of virus, trojans and Adware have been removed with Malwarebytes as well as Kaspersky internet security.

I still have a problemn with Kaspoersky popping up a warning every 30 seconds or so when explorer is open, "...loading object http://www.extra-msn.com/b/img1.html...". If you go to this URL you will get a big warning from Kaspersky.

Obviously there is a problem but I cant find it and I dont really want to do a reinsatll at this time.

Any one have any idea what this is all about?
0
MXDEWD
Asked:
MXDEWD
  • 7
  • 2
  • 2
  • +3
1 Solution
 
FatMancCommented:
If possible please download HiJackThis and run it in Save Log mode.

Copy and paste the log file contents to this message and we
Can advise further what to do

Thanks
John
0
 
ComputerTechieCommented:
Let me clear up this mistake:

You can run combofix in normal mode only not safe mode.
I would also try using Dr.Web LiveCD

CT
0
 
illStraightCommented:
You should turn off Window XP's System Restore feature.
Here's how:
right click on My Computer -> Properties
select System Restore tab -> check "Turn off System Restore"
click Apply -> Ok

Then run Malwarebytes again.
It's also a good idea to run Trojan Remover, Spybot, or AdAware after Malwarebytes just to make sute the machine is free of the virus remnants.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
Mohamed OsamaSenior IT ConsultantCommented:
the file img1.html in the above link is an instance of Backdoor.Aforce
this backdoor is relatively old ,but its danger comes from the fact that it  can hide itself in NTFS Alternate file stream if the infection is successful, this way it will not be visible in windows explorer, or command line, even AV programs sometimes will fail to spot it , you will need to run Malwarebytes & Combofix as suggested above and maybe other antirootkit programs to be able to fix it if you are infected, also please show us the hijack this log.

0
 
MXDEWDAuthor Commented:
HI every one, thanks for the comments.

Please find Hijack this log attached.
0
 
MXDEWDAuthor Commented:
HI There,

Downloaded and ran Combofix - Im not sure it removed anything, log attached.

I have also Run Kaspersky internet security as well (as indicated in my first post)
0
 
MXDEWDAuthor Commented:
Sorry, Kasperksy was blocking uploading fo files - please find them both attached below...
ComboFix-Log.txt
hijackthis.log
0
 
Mohamed OsamaSenior IT ConsultantCommented:
The hijack this log looks ok except this
 O17 - HKLM\System\CCS\Services\Tcpip\..\{696C51E6-96A4-43EB-A626-186AE32A881B}: NameServer = 202.27.158.40,202.27.156.72
are those DNS servers really yours or assigned by your ISP ?
if not , you will need to fix this
As for the Combofix log , I was not able to spot anything alarming, Fellow experts may correct me if I am wrong :)
could you please post a screenshot or the text of the exact Kaspersky pop up ?
there is a  workaround here ,which is to block the site <www.extra-msn.com> using HOSTS file.

Start>run>notepad C:\WINDOWS\system32\drivers\etc\hosts
add the below line 
127.0.0.1    www.extra-msn.com
save the file with the exact same name (hosts) and not hosts.txt




0
 
MXDEWDAuthor Commented:
Would rather try and fix the problem knowing it's being caused by malware. Who knows what else the dirty stinking scum is up to.  Screen shot attached.
0
 
rpggamergirlCommented:
Combofix log did not show that it removed any files but that log is the result of the 3rd CF run....

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\gpkrwrct.dat
c:\windows\system32\webcljtn.dat
c:\windows\system32\adptgfot.dat
c:\windows\system32\kbdfwidv.dat
c:\windows\system32\sdhcxnst.dat
c:\windows\system32\activeus.dat
c:\windows\system32\paqsuzb.dat
c:\windows\system32\paqsuzb.dIl
c:\docume~1\MARIAN~1\LOCALS~1\Temp\jfdcd.sys

Driver::
jfdcd

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\paqsuzb]
[-HKEY_CLASSES_ROOT\CLSID\{2BC22E14-25A0-8DB5-3D3F-5DBC89342A1A}]

------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
 
As already been asked, can we also look at the Kaspersky log.
0
 
MXDEWDAuthor Commented:
Sorry Kaspersky Screen shot as requested Previously
KISWarning.bmp
0
 
rpggamergirlCommented:
Did you run the CFScript? can you attach the CF log here.
0
 
MXDEWDAuthor Commented:
Hi there, Sorry rpg... got side tracked on another job. CF Log attcahed.

Cheers Jason
CF-Log.txt
0
 
ComputerTechieCommented:
Did you uninstall your nortan antivirus before installing Kaspersky Anti-Virus?

CT
.
0
 
MXDEWDAuthor Commented:
Hey ComputerTechie... yes I did. Ran the Nortons uninstaller tool.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now