antimalwarelist.com

Danno

Anytime I try and visit www.microsoft.com my page changes to antimalwarelist.com/block.php/teletext2010=1&url=http://www.microsoft.com
with a big red box saying that it was a malicious request.

Malwarebytes finds nothing wrong in the scan, neither does Security Essentials. Downloaded Trend Housecall (via cached google page!) and nothing found either...

How do I remove this critter?

peagussdog

Hi Danno,

Are you visiting the webpage from IE or Firefox or another browser. Either way sounds like you may have a virus. Although to be sure i need a bit more info.. . . but in the meantime. I can give you a few places to start to help with you problem

First of download and install spybot S&D, this is free software. . . there is people trying to get you to pay for it. Anyway will have links at the bottom of post.

Install update and run immunize and then check for problems. . . then fix any problems that this finds

Next if this hasn't resolved your issue download and install hijack this. . . Now be very carefull with this program. Run "Do system Scan and save to logfile" When this is finished running a notepad doc will open. Copy the entire document and post into this website hijackthis.de and click the analyze button. This will give you a rating for everything that is installed on your computer. If you are unsure about anything that is installed do not fix the item but post it here instead and i will check it out for you!

Spybot : http://www.safer-networking.org/en/download/
hijackthis : http://www.hijackthis.de/


There is stronger methods to remove things of your system but run at a higher risk

A few thinks that might help if doesn't solve your problem is to let me know what antivirus you are using also what version of windows are you using!

Best of Luck dude

Danno

Cheers for the quick reply! Got rid of the AntiVirus8 Malware prior to this using a full scan on MBAM and did a full scan using MSSE. I am using Vista, and IE8. I will try the steps above and let you know.

peagussdog

Cool dude . . . let me know how you get on. . .

that error you receiving by the way is from IE8 that stops you going to malicious web pages. So you are definetly being redirected by something.

Danno

HiJackThis reported everything fine... running a SpybotS&D scan now and it has found... FakeBill.CourtCologne

peagussdog

cool you seem to be getting there . . . let me know when its finished if its fixed if not we will up it to another level

Danno

Still not resolved. All the scanners are missing this. Have reset my browser and firewall also. But the antimalwarelist.com page still persists.

Danno

The page I get redirected to is here... http://antimalwarelist.com/block.php - do NOT click on the grey buttons.

FSL

Have you checked your Hosts file? Malwarebytes should have picked up any problems with it but check it anyway.

Also check your DNS server settings they may have been altered.

Danno

Tried this... http://support.microsoft.com/kb/972034 but no cigar. Will check DNS. Downloading Kaspersky Pure Trial now to see if it finds anything.

tricky D

Your best course of action is to read the "I think I have a virus" - Please Read & Try BEFORE Posting (Updated 12/02/2010) sticky and carry out as many of the instructions in that thread, then post the relevant logs here. Someone will be along to help but only once you do those tasks.

peagussdog

Hey dude,

If you still having problems the next thing that i would recommend is running a program called combofix. The link has a guide to how to use it on this page to. If this still doesn't work the likely hood is that the virus could be rookit or that it is hiding in your system restore files.

One word of warning this can some times damage your profile in windows Vista. It is imperative that you have a separate account with admin access set up before you run combofix. If it damages your profile it can be fixed by editing the registry but you have to have another admin account to do it!
:cool:

One thing you may want to try first though is download and install another web-browser first .i.e mozilla firefox to see if you have the same problem with a different browser. Just out of curiosity

bhickey

It sounds like a Windows hosts file infection that can remain even after a virus has apparently been removed. Programs like Malwarebytes can miss this hosts file infection and so even after everything has been cleaned, the computer still misbehaves.

Have a look at the hosts file (C:\Windows\System32\Drivers\etc\HOSTS) to see if it looks alright (i.e. more or less empty apart from comments).

If the host file looks infected, then follow the instructions here (especially the hosts file bits at points 18-19) to replace it with a clean one.

Danno

In the etc folder, HOSTS is called hosts.old and this is what it contains...

==================================================================
# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
::1 localhost
==================================================================

Am I right in thinking that the .old extension should not be there? I will follow the instructions on the bleepingcomputer page and let you know.

Thanks to everyone for their help so far, hopefully there will be a successful outcome!

jolsen

hosts.old is often just somebody or some program replacing a hosts file and the .old is just for backup. The hosts file has no extension. If you run dds from the sticky it should show if there are any naughty entries in your hosts file and elsewhere, if you're still having troubles.

Techvets

Hi
I recommend running super anti spyware portable edition (great tool ) it's a force to be reckoned with. It also sounds like your browser is been redirected...so try reseting Host file. Here is a link to an application that will do it for you, I use it all the time.http://www.brothersoft.com/downloads/winsockfix-1.1.0.13.html Also clean your Temp files before running any tools such as Malwarebytes etc..Good luck and let me know it this works

Danno

ComboFix report...

==================================================================
ComboFix 10-10-26.04 - User 27/10/10 22:12:24.2.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.353.1033.18.1788.939 [GMT 1:00]
Running from: c:\users\User\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-09-27 to 2010-10-27 )))))))))))))))))))))))))))))))
.

2010-10-27 21:20 . 2010-10-27 21:20

---

d

---

w- c:\users\User\AppData\Local\temp
2010-10-27 21:20 . 2010-10-27 21:20

---

d

---

w- c:\users\Default\AppData\Local\temp
2010-10-27 12:17 . 2009-12-14 11:44 88632 ----a-w- c:\windows\system32\drivers\CSCrySec.sys
2010-10-27 12:17 . 2009-12-14 11:44 39352 ----a-w- c:\windows\system32\drivers\CSVirtualDiskDrv.sys
2010-10-27 12:16 . 2010-10-27 17:36

---

d

---

w- c:\programdata\Kaspersky Lab
2010-10-27 09:57 . 2010-10-27 09:57

---

d

---

w- c:\programdata\SUPERAntiSpyware.com
2010-10-27 01:05 . 2010-10-27 09:35

---

d

---

w- c:\programdata\Spybot - Search & Destroy
2010-10-27 01:05 . 2010-10-27 09:35

---

d

---

w- c:\program files\Spybot - Search & Destroy
2010-10-26 20:46 . 2010-10-18 08:41 6146896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8FD96789-FEAD-4A5F-A1EA-207AB2CE792D}\mpengine.dll
2010-10-26 20:41 . 2010-10-26 20:41

---

d

---

w- c:\program files\Microsoft Security Essentials
2010-10-26 19:18 . 2010-10-26 19:18

---

d

---

w- c:\users\User\AppData\Roaming\Malwarebytes
2010-10-26 19:18 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 19:18 . 2010-10-26 19:18

---

d

---

w- c:\program files\Malwarebytes' Anti-Malware
2010-10-26 19:18 . 2010-10-26 19:18

---

d

---

w- c:\programdata\Malwarebytes
2010-10-26 19:18 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-22 18:03 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DE79F698-1AF9-436D-9DDA-34C10522DD00}\mpengine.dll
2010-10-13 18:55 . 2010-08-10 15:53 274944 ----a-w- c:\windows\system32\schannel.dll
2010-10-13 18:52 . 2010-08-31 13:27 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-10-13 18:51 . 2010-08-20 16:05 867328 ----a-w- c:\windows\system32\wmpmde.dll
2010-10-13 18:51 . 2010-08-31 15:44 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-09-29 07:33 . 2010-06-22 13:30 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-29 07:33 . 2010-08-26 04:23 13312 ----a-w- c:\program files\Internet Explorer\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 10:41 . 2009-10-02 19:37 222080

---

w- c:\windows\system32\MpSigStub.exe
2010-08-17 14:11 . 2010-09-15 19:54 128000 ----a-w- c:\windows\system32\spoolsv.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-10-27_18.12.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-04 10:19 . 2010-10-27 21:12 34468 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2010-10-27 21:12 64454 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-08-04 09:45 . 2010-10-27 18:02 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-08-04 09:45 . 2010-10-27 21:10 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-10-27 11:52 . 2010-10-27 18:02 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-10-27 11:52 . 2010-10-27 21:10 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-04 09:45 . 2010-10-27 21:10 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-08-04 09:45 . 2010-10-27 18:02 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-08-04 10:19 . 2010-10-27 21:12 9136 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1342764858-1143932900-3463216980-1000_UserData.bin
+ 2010-10-27 21:10 . 2010-10-27 21:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-10-27 18:02 . 2010-10-27 18:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-10-27 18:02 . 2010-10-27 18:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-10-27 21:10 . 2010-10-27 21:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-08-12 14:32 . 2010-10-27 21:05 327932 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2006-11-02 10:33 . 2010-10-27 18:11 609196 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-10-27 21:19 609196 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-10-27 18:11 108672 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2010-10-27 21:19 108672 c:\windows\System32\perfc009.dat
- 2009-08-04 15:21 . 2010-10-27 17:31 262144 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-08-04 15:21 . 2010-10-27 18:19 262144 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-18 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-12-11 1310720]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-25 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-13 1603152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-09-15 136176]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-25 42368]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2008-04-07 24936]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2009-04-03 27320]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-15 21:13]

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-15 21:13]
.
.

---

Supplementary Scan

---

.
TCP: {58B5370F-60E7-4739-BB53-AD995DFB1F4E} = 208.67.222.222,208.67.220.220
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-27 22:20
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.0 by Gmer, http://www.gmer.net
Windows 6.0.6002

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll acpi.sys >>UNKNOWN [0x856F8566]<<
1 ntkrnlpa!IofCallDriver[0x81C5A962] -> \Device\Harddisk0\DR0[0x84B51030]
2 ntkrnlpa[0x81C5A962] -> CLASSPNP.SYS[0x827B58B3] -> \Device\Harddisk0\DR0[0x84B51030]
3 CLASSPNP[0x827B58B3] -> ntkrnlpa!IofCallDriver[0x81C5A962] -> [0x84B67308]
4 ntkrnlpa[0x81C5A962] -> hpdskflt.sys[0x82798065] -> [0x84B67308]
5 hpdskflt[0x82798065] -> ntkrnlpa!IofCallDriver[0x81C5A962] -> [0x84B5C8A8]
6 ntkrnlpa[0x81C5A962] -> acpi.sys[0x806176BC] -> [0x84B5C8A8]
7 acpi[0x806176BC] -> ntkrnlpa!IofCallDriver[0x81C5A962] -> [0x84AF91C8]
\Driver\atapi[0x84AF18B0] -> IRP_MJ_CREATE -> 0x856F8566
8 ntkrnlpa[0x81C5A962] -> UNKNOWN[0x856F8569] -> [0x84AF91C8]
kernel: MBR read successfully
detected hooks:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskFUJITSU_MHZ2160BH_G2____________________8909____#5&693d231&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
\Driver\Disk -> CLASSPNP.SYS @ 0x827b5d24
\Driver\ACPI -> acpi.sys @ 0x80617d68
\Driver\atapi DriverStartIo -> 0x856F83B2
\Driver\atapi -> ataport.SYS @ 0x8071ea2c
user != kernel MBR !!!
sectors 312581587 (+220): user != kernel

**************************************************************************
.

---

LOCKED REGISTRY KEYS

---

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-10-27 22:23:36
ComboFix-quarantined-files.txt 2010-10-27 21:23
ComboFix2.txt 2010-10-27 18:15

Pre-Run: 139,855,118,336 bytes free
Post-Run: 139,836,526,592 bytes free

- - End Of File - - 7FC4C7D3B2AAE8F9912F9E6CA5C0C3E0
==================================================================

Have tried SUPER AntiSpyware also, but found nothing. Will try that brothersoft link next and let you know. Thanks once again folks, fair play for all the help.

Danno.

Danno

No joy from the brothersoft link. Page also displays under Firefox. I am gonna try ComboFix in Safe Mode now as it does say it finds rootkit.

Techvets

I remember seeing this problem before and the only way I could shake it was by taking out the hard drive and slaving it off another pc. If you need more help on this let me know

Danno

Would MSSE find it on the HDD if it were connected via USB to a PC with up-to-date MSSE?

Techvets

I removed it with Kaspersky..never tried MSE. I'm sure it will. It's worth a shot

Danno

==================================================================
Trojan:DOS/Alureon.A

Microsoft Security Essentials encountered the following error: Error code 0x800704ec. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommendation: Remove this software immediately.

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items:
boot:\Device\Harddisk7\DR16

Get more information about this item online... http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Trojan%3aDOS%2fAlureon.A&threatid=2147636949
==================================================================

Came across this when MBAM done a scan on the HDD connected to a USB. MSSE missed it first time round. :O

Danno

http://helpdeskgeek.com/how-to/fix-mbr-xp-vista/ Instructions here appear to have cleared it! Yipeeee!!!

Thanks for all your help and support along the way lads.

Akadeeda

Thanks Danno for providing the link to the website that helps you fix your MBR. Like you I had a bad virus, Antivirus 8, that none of the usual malware programs could detect all of the virus, i.e. Malwarebytes, AntiSuperspyware, Spyware Doctor, Avast, and the list goes on. Malwarebytes found parts of it but my internet browser kept being hijacked and I was redirected to antimalwarelist.com. So after following the directions to the link, with my own changes per se, I am now virus free!! Thanks for sharing the information with everyone!!