Getting These Error Messages - HELP

[SuperBusa]

Originally Posted By: OVERK1LL
You can download their free trial to remove them IIRC. It is a good product.


You talking about Norton?

So Panda ActiveScan 2.0 found 8 "infected files". Six of them were Windows system restore files and 2 were adware (called "savenow") that were located in an installation .exe file for CutePDF Writer that I never installed but it's in the CutePDF folder.

I did a search for the 6 system restore files (in format like a0091859.exe) and could not find them on my HD. Did some reading on Panda's website and they say sometimes there scanner will pick these up somehow even if they have been previously erased (?).

They also said if you want to eliminate all the system restore files, go into System Restore and turn it OFF then back ON ... which I did.

So OVERKILL ... since you are a computer guru, do you think my computer is now safe and clean? The only thing I still see are those two websites being blocked by SpySweeper.

Is there any way to determine if those sites are pinking me or if my computer is trying to connect to them?

 

[SuperBusa]

Originally Posted By: SuperBusa

Is there any way to determine if those sites are pinging me or if my computer is trying to connect to them?


Update - I was in SpySweeper Help and came across this information about the Internet Communication Shield feature:

"Monitors communication from your computer to known Web sites that are related to potentially unwanted programs. The Webroot software includes a list of known sites with its definitions. If the Webroot software detects an attempt to communicate with a site on the list, it displays a pop-up alert in the system tray (lower-right corner of your screen) telling you that access to the site was blocked."

So, it looks like there is still something on my machine that is trying to connect to these two following website addresses:

68.169.70.240 and D45648675.CN

68.169.70.240 is more often than D45648675.CN

Is there any way to find out what these addresses are associated with?

What is on my machine causing this? I've removed everything all these scanning programs have found.

 

[hertzer]

Go to this website and register.
http://www.hijackthis-forum.de/english-help/

They have been great at helping me rid my computer of some hard to deal with viruses. You will be asked to post a Hijackthis log. Give a description of the problems you are having. Jintan will take care of you.

 

[OVERKILL]

Originally Posted By: SuperBusa
Originally Posted By: SuperBusa

Is there any way to determine if those sites are pinging me or if my computer is trying to connect to them?


Update - I was in SpySweeper Help and came across this information about the Internet Communication Shield feature:

"Monitors communication from your computer to known Web sites that are related to potentially unwanted programs. The Webroot software includes a list of known sites with its definitions. If the Webroot software detects an attempt to communicate with a site on the list, it displays a pop-up alert in the system tray (lower-right corner of your screen) telling you that access to the site was blocked."

So, it looks like there is still something on my machine that is trying to connect to these two following website addresses:

68.169.70.240 and D45648675.CN

68.169.70.240 is more often than D45648675.CN

Is there any way to find out what these addresses are associated with?

What is on my machine causing this? I've removed everything all these scanning programs have found.


Looks like the CN one is from:

Win32/Multidropper.HC

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=80518&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+CaSecurityAdvisorVirusAlerts+%28CA+Security+Advisor+Virus+Alerts+%28OLD%29%29

There is a list of the files it drops as well.

And here is the info on the 68.169.70.240:

http://www.threatexpert.com/report.aspx?md5=832fe0cec27193ea9f6d6042a7d7721a

Looks like Norton should pick it up.

 

[SuperBusa]

OVERKILL - Thanks for the help!!!

I'll give Norton a try. It's amazing that one of the half dozen scanners didn't pick it up.

 

[OVERKILL]

Originally Posted By: SuperBusa
OVERKILL - Thanks for the help!!!

I'll give Norton a try. It's amazing that one of the half dozen scanners didn't pick it up.


Tis the nature of Malware unfortunately

 

[SuperBusa]

Is Panda Security Cloud Antivirus worth running? I installed it, but during installation it said McAfee Security Center (the antivirus s/w I'm using) was detected as an "incompatible program" and needed to be uninstalled. Not sure I really want to do that unless this is legitimate program and worth trying.

 

[OVERKILL]

It's a legitimate program and worth trying. Did Norton's on-line scan find anything?

 

[SuperBusa]

Originally Posted By: OVERK1LL
It's a legitimate program and worth trying. Did Norton's on-line scan find anything?


I looked on Norton's website and really didn't see any on-line scanner. Seems like Norton wants you to do a "30 day free trial" on all of their stuff. Am I not seeing the on-line scanner link on their site?

 

[OVERKILL]

Originally Posted By: SuperBusa
Originally Posted By: OVERK1LL
It's a legitimate program and worth trying. Did Norton's on-line scan find anything?


I looked on Norton's website and really didn't see any on-line scanner. Seems like Norton wants you to do a "30 day free trial" on all of their stuff. Am I not seeing the on-line scanner link on their site?


http://security.symantec.com/sscv6/DownloadInstructions.asp

 

[SuperBusa]

OVERKILL ... thanks man, you've really helped out here.

My brother also recommended trying Microsoft Defender, which can be downloaded free off of Microsoft's download website. I'll let you know what I find.

 

[OVERKILL]

OK, keep me posted

 

[SuperBusa]

OK, here's the latest. I downloaded and installed the Microsoft "Security Essentials" tool. Nice tool IMO. Did a Full Scan after it updated definitions, etc. Security Essentials found the file CuteComp.exe just like Panda Security on-line scanner "Active Scan 2.0" (only other scanner that did). Said there was medium risk Adware in the .exe file. I never installed CuteComp.exe by executing it, but it did reside on my HD. Removed it ... no difference, still getting the warnings about trying to connect to those two internet addresses (but being blocked by Webroot SpySweeper).

So downloaded and installed Norton "Security Scan". Ran it and it updated definitions, etc ... then did a Full Scan (took over 2 hrs). Results were it found 48 "Tracking Cookies". It did show the results, but could not copy and save or create a log of any kind. Wrote down the names of some of the cookies because they looked different than what I've seen before. Here are a couple it showed. I searched for these in Explorer (hidden files, etc) and could not find any of them.

.msnportal.112.207.net
.govtrack.us
.dotomi.com
.metacafe.122.2o7.net

That metacafe one rings a bell, as I believe I saw something about the Metacafe in one of the video pop-up ads that appeared when my computer was attacked ... not 100% sure, but vagley recall the name.

So OVERKILL, or anyone else ... why can't I find these cookies on my HD when I do a drive search? Are they buried inside some other file(s)?

Of course if you chose the "Fix Now" button in the Norton scanner they want you to buy one of their products. Their "Norton 360" looks like a full blown tool for $60/yr subscription. I wonder if removing these tracking cookies will fix this issue?

Quote from the Norton website ... makes me wonder if these cookies are causing this or not (???).

"Are Cookies Dangerous?
Contrary to what some users may think, cookies are NOT inherently malicious or dangerous. If you run a scan and you find a tracking cookie, the tracking cookie does not represent a malware infection. These are low to minimal security issues. We have seen many security companies and free "Spyware Removal Tools" emphasize detection of cookies, calling them Spyware and Trackware and stating that you are "infected", which is most unlikely to be the case. Cookies and the information they store are more related to privacy concerns."

 

[Warstud]

You still having problems? I got rid of the pop-ups from the malware but I think I'm still infected.

 

[SuperBusa]

Originally Posted By: Warstud
You still having problems? I got rid of the pop-ups from the malware but I think I'm still infected.


Yes, I think I must still have something on my machine. As I've mentioned above, I've scanned my machine with about 8+ different scanners and can't find anything major anymore. Some of those scanners found and fixed almost everything. Seemed like Malwarebytes and MS Security Essentials (thanks Bill of Utah!) worked the best for me.

Only problem left it seems is that my Webroot SpySweeper still gives warning messages and the activity log still indicates that my machine is trying to connect to two different website addresses that are known for spyware and malware (details in posts above). Thankfully, SpySweeper blocks the access to these sites.

Last tool used was Norton's on-line scanner, and it found 43 tracking cookies that had very strange names. I could NOT find any of them on my HD when I did a complete file search in Explorer. That was puzzling.

I would install Norton if I knew these newly found tracking cookies were the problem, but I don't think they are - maybe someone can chime in on that theory. Could tracking cookies really cause my machine to automatically try to connect to known dangerous websites?

I think I might try running "TDSSKiller" to see if there are any TDSS rootkit infections. These sound like they can be totally hidden and no scanners can detect them.

http://www.technibble.com/forums/showthread.php?p=92810

http://support.kaspersky.com/viruses/solutions?qid=208280684

I need some powerhouse suggestions at this point.

 

[OVERKILL]

Go to the links I posted earlier. They show you the details of the infections, as well as the files they create. Search for those files and remove them!

 

[SuperBusa]

Originally Posted By: OVERK1LL
Go to the links I posted earlier. They show you the details of the infections, as well as the files they create. Search for those files and remove them!


So are you saying go find those 6 files listed in the link (and the other link you posted) under the "File System Modifications" section and delete them? -- that's it?

http://www.threatexpert.com/report.aspx?md5=832fe0cec27193ea9f6d6042a7d7721a

What about all the other modifications, like to the Registry?

 

[SuperBusa]

OVERKILL - BTW, I did search for some of these files listed below (shown in the long link you originally posted) and could not find any of them on my machine except lsass.exe which I believe is a legitimate Windows file - or is it??. I know lsass.exe has been scanned by all these tools.

Payload
Drops Files
Win32/Multidropper.HC drops the following files:

2_load.exe (corrupt file)
4_pinnew.exe (Win32/LdPinch.ACT)
5_odb.exe, odb.exe (Win32/Kollah.BGV)
sdra64.exe, 6_ldr3.exe (Win32/Zbot.BR)
20421413.exe (Win32/RogueSecurity!generic)
avto.exe, svc.exe (Win32/Klik.C)
lsass.exe, teste1_p.exe (Win32/Renos.AN)
q1.exe (Win32/Klik.D)
28.tmp (Win32/Alureon.APX)

 

[OVERKILL]

You can easily verify if the lsass.exe you are looking at is legit by right-clicking it and go to Properties. Under the version tab, should have a pile of Microsoft information. If not.... It isn't legit

And yes, you'll have to search the registry and remove those modifications first, but the first step is removing the actual files.

Obviously make sure you have it set to show hidden and system files.

 

[SuperBusa]

OVERKILL - thanks for the info above, but I did not have a chance to do what you suggested before my computer got totally hosed up. I will not even boot up anymore.

Here are the details.

I downloaded and ran TDSSKiller.exe based on what I read in the links below, and I also saw that Warstud had used it successfully to help get rid of his bug issue (see his thread in this forum - http://www.bobistheoilguy.com/forums/ubbthreads.php?ubb=showflat&Number=1726394#Post1726394).

Info on TDSSKiller.exe
http://www.myantispyware.com/2009/12/22/how-to-remove-h8srt-trojan-remove-rootkit-tdss/

http://support.kaspersky.com/viruses/solutions?qid=208280684

So I ran TDSSKiller.exe and it gave the following message:
"Driver atapi Irp handler infected by TDSS rootkit ... cured"

The same message can be seen on the 2nd line in the Kernel Memory Scan in the TDSSKiller screen below. My messages in the TDSSKiller screen had no lines below the one I showed above, but just the flat curser symbol at the end & bottom of the text string.

My machine was totally locked up at this point. NOTHING responded except the mouse. I could not close anything ... I couldn't even get Task Manager to open up.

Did a hard boot and the computer seemed to have recovered. Re-ran TDSSKiller.exe because I thought maybe it didn't run to completion based on the lack of message text (compared to the photo above). Again, the same message was given by TDSSKiller and the computer was locked up tight again. Did another hard reboot and this time the screen comes up black with the following message in white text"

A disk read error occurred
Press Cntl+Alt+Del to restart

So I tried a Cntr+Alt+Del and it tries to restart, but comes right back to the black screen with the disk read error message above. Tried an F8 on reboot (Safe Mode) ... same disk read error message above.

I'm dead in the water ... ANY IDEAS on how to recover from this one?

I probably have a Windows Recover disk somewhere ... is that something that might fix this? I might be flattening my HD after all ... but I'd rather not if I can recover from this fiasco.