Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 562
  • Last Modified:

Script Error and registry problem

I have one of my users computer that was infected with trojans. I run a bunch of software to clean everything. but I still get 2 issues that I can't figure out how tot fix.

the first one is a pop up window that has a script error:
"internet explorer script error" with the url starting with http://view.atdmt.com/MRT/view

the second issues is that I see when typing nslookup in command prompt it has the wrong local IP address . instead it's pointing to 206.141.192.60

the network card has no ip setup there for dns ,
so I searched the registry and found this ip there in one of the key called dhcpNameServer
I tried to change it to a local one, but everytime I restart the computer the ips comming back.
Can somone help me , that drives me crazy .
Thanks
David
0
taverny
Asked:
taverny
  • 6
  • 4
  • 3
  • +3
5 Solutions
 
tavernyAuthor Commented:
ok I will try that now.
0
 
srjacobCommented:
You still have malware in your machine.

You might try running malwarebtyes:  http://www.malwarebytes.org/

That will usually catch things.  If it doesn't, purchase Avira Premium Security Suite : www.avira.com, and that should put an end to the malware.  On a recent cleanup, the Avira caught about 6 more malwares than Malwarebytes.  You have to use the Premium Suite.  It has a different scan engine than the regular/free Avira.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
srjacobCommented:
Note I am not associated in any with Avira.  I am just a very happy customer who has never gotten any malware since I started using the product.
0
 
ajmehtaCommented:
I would also try SuperAntiSpyware.com for cleaning this.
0
 
rpggamergirlCommented:
Post the ComboFix log that is generated so we can check whether a script is needed or not. ComboFix won't automatically remove all bad files or infection on its first run, sometimes a script is also needed.

@ askurat1,
When suggesting ComboFix always ask for the ComboFix log to be posted/attached.
0
 
BillDLCommented:
taverny

Just for your info, the IP Address: 206.141.192.60  is an AT&T/SBC Global one.  It will show up as "Ameritech Electronic Commerce" if you start searching, but that's just a corporate name for the providers of SBC Yahoo and other related services.  The IP Address is assigned to the Domain Name Server: dns1.chcgil.sbcglobal.net

tracert 206.141.192.60

Is your ISP AT&T, SBCGlobal, SWBell, Pacbell, NevadaBell, etc?

Flush your DNS cache:
ipconfig /flushdns

www.atdmt.com (65.242.27.40) resolves to http://www.atlassolutions.com/ which apparently is an advertising arm of Microsoft: (http://advertising.microsoft.com/home).

I don't like the sound of "MRT" in the url: http://view.atdmt.com/MRT/view
as it seems to be a play on the name of Microsoft's Malicious Software Removal Tool, but may be coincidental.

Each of the folders in that URL only contain a single 1x1 pixel clear GIF file, and this is what is often used as a tracking device.  Paste the URL into Firefox and you'll see this.

Post the ComboFix log as requested by rpggamergirl and she will direct you further.
0
 
tavernyAuthor Commented:
Hi Everyone,
thank you all for your response .
Just to let you know I am trying to fix this computer remotely since it is in another state.
so for the combo fix , I tried to run it but the computer crashed with the blue screen, so I had to wait for the user to go back to the screen to restart the computer. then I tried to do it again and it seems that everytime I run the combo it crash my computer. I can run the hijackthis if you would like and post it there.
I run the malawarebytes and cleaned some stuff.I also run the regclean.
for the ip address I realized that another computer at the same location has the same IP so I figure that the provider is passing the dns server directly to the machine. and Yes it's a ATT account.
I am gonna try now the SuperAntiSpyware.com and let you know the result.
so far it doesn't seem that there is more popup but  the redirect is still existing.( for example I typed malawaresbytes in google , it shows me the right link but when I click on it it brings me to http://www.get-information.com/jump2/?affiliate=itcg&subid=20342&terms=malwarebytes)
0
 
tavernyAuthor Commented:
SuperAntispyware found 26 ites, I deleted them , rebooted the computer and I still have a pop up coming up.
here is a snapshot of the pop up.
Capture1.JPG
0
 
ajmehtaCommented:
did you already run tdss killer as someone already suggested?

If i'm understanding correctly, you get this at STARTUP, not when launching IE, right?

in this case, i'd suggest to use msconfig to set the computer to "diagnostic" mode, restart, and see if you still get that popup.... then re-enable some items at a time until you narrow down what the issue is.

If the problem is with IE (not on startup), then run IE w/o add ons enabled, and see if this happens.
0
 
tavernyAuthor Commented:
That is correct whicout launching IE , no I haven't run the tdss killer, I might have missed that I am gonna try it now.
0
 
tavernyAuthor Commented:
I tried to run the tdsskiller, but nothing happen. I even try in safe mode . but the software doesn't start.
any advice?
0
 
ajmehtaCommented:
you sure you got it from http://support.kaspersky.com/downloads/utils/tdsskiller.exe ?

you may need to pull the drive and clean it externally.
0
 
rpggamergirlCommented:
Is the system having McAfee antivirus, CA or AVG installed? McAfee can eat CF files.

Also try renaming ComboFix and TDSSKiller files before running a scan and see if that helps.
0
 
rpggamergirlCommented:
If still won't run, try and Download aswMBR.exe ( 511KB ) to your desktop.

http://public.avast.com/~gmerek/aswMBR.exe]aswMBR.exe
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post it here.



And this diagnostic tool, it won't delete any files on its first run, will only delete bad files using a script that we will provide if necessary.

1. Download OTL, save to Desktop or other convenient location.
http://oldtimer.geekstogo.com/OTL.exe

2. OTL does not need to be installed, simply click the OTL icon to run
3. Click the Quick Scan Button.
4. A log will open in notepad, and OTL.txt will be saved to the same location as OTL.exe (i.e.: desktop)
5. Post/attach the log here.
0
 
tavernyAuthor Commented:
Well, sorry for the late response but I couldn't fix it after all your help. So I decided to reinstall everything from scratch that was a fastest solution.
Thank you so mucj for all your help.
David
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 6
  • 4
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now