Adlice forum
General Category => Malware removal help => Topic started by: lkbart on January 28, 2017, 02:31:11 AM
-
Is there any way to get RogueKiller to scan external drives? I believe I have a redirect/hijack virus on an external drive but nothing can find it, started out with a mellowsurvey ad in Chrome & it comes up in Firefox too now. I have reinstalled Windows 7 prof, and it came back; then I reformatted then reinstalled Windows 7 prof and it came back again, but it didn't come back until I hooked up my external drives. The only malware program that could find anything on my computer was RogueKiller, so I bought it. But now it says my computer is clean, but I'm still getting redirects, and they are getting more obnoxious. I need the photos off those 2 drives, and don't know how to do that without copying the virus also. Thoughts? Suggestions please?
-
Hi lkbart,
Welcome to Adlice.com Forum.
Could you please attach RogueKiller report with your next reply ?
Regards.
-
This is the last scan that found anything (well, except the one that found & killed zemana).
RogueKiller V12.9.5.0 (x64) [Jan 23 2017] (Premium) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Calypso [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 01/26/2017 00:51:48 (Duration : 00:15:17)
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 4 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0BE4C1DE-B26F-4EEE-928C-3D7760162FE1} | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0BE4C1DE-B26F-4EEE-928C-3D7760162FE1} | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X]) -> Found
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ WMI : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3500418AS ATA Device +++++
--- User ---
[MBR] 445a0fa862053eabad731431ee9710de
[BSP] 279c2ca4427da3d2b1ef6b539245d5f4 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476937 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: Samsung SSD 840 EVO 500GB ATA Device +++++
--- User ---
[MBR] 73b4e66ae4fc15e17f09ace7cd96c9e9
[BSP] 75fd2afd17331e5cf04f48804a9e0dbf : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive2: TEAC USB HS-CF Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive3: TEAC USB HS-xD/SM USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive4: TEAC USB HS-MS Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive5: TEAC USB HS-SD Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive6: LaCie P9230 USB Device +++++
Error reading User MBR! ([57] The parameter is incorrect. )
Error reading LL1 MBR! ([79] The semaphore timeout period has expired. )
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive7: Seagate Backup+ Desk USB Device +++++
--- User ---
[MBR] ec3c24db9a445467986b831406c66357
[BSP] 0abffb185016e72bdad2b091f91bef0b : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1907726 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )
This scan was the first one I ran that found anything:
RogueKiller V12.9.5.0 (x64) [Jan 23 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Calypso [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 01/24/2017 21:05:01 (Duration : 00:18:24)
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 12 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0BE4C1DE-B26F-4EEE-928C-3D7760162FE1} | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0BE4C1DE-B26F-4EEE-928C-3D7760162FE1} | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X]) -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0 -> Found
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 1 ¤¤¤
[PUP.Gen1][Folder] C:\Users\Calypso\AppData\Local\PackageAware -> Found
¤¤¤ WMI : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3500418AS ATA Device +++++
--- User ---
[MBR] 445a0fa862053eabad731431ee9710de
[BSP] 279c2ca4427da3d2b1ef6b539245d5f4 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476937 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: Samsung SSD 840 EVO 500GB ATA Device +++++
--- User ---
[MBR] 73b4e66ae4fc15e17f09ace7cd96c9e9
[BSP] 75fd2afd17331e5cf04f48804a9e0dbf : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive2: TEAC USB HS-CF Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive3: TEAC USB HS-xD/SM USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive4: TEAC USB HS-MS Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive5: TEAC USB HS-SD Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive6: LaCie P9230 USB Device +++++
Error reading User MBR! ([57] The parameter is incorrect. )
Error reading LL1 MBR! ([79] The semaphore timeout period has expired. )
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive7: Seagate Backup+ Desk USB Device +++++
--- User ---
[MBR] ec3c24db9a445467986b831406c66357
[BSP] 0abffb185016e72bdad2b091f91bef0b : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1907726 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )
-
Hi lkbart,
Make sure to plug all your possibly infected external drives.
Please download Farbar Recovery Scan Tool (x64) (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to your Desktop.
- Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will produce a log called FRST.txt in the same directory the tool is run from.
- Please attach log back here.
- The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also attach that along with the FRST.txt into your reply.
Regards.
-
I've attached the FRST and the Addition files.
-
Apparently only the Addition file attached - here is the FRST
-
Hi lkbart,
I don't see anything malicious on the reports.
Are you experiencing browsers hijacking behaviours at this time ?
Regards.
-
At this point in time, no, I'm not. I have not reinstalled Chrome - that's where the attacks began, but continued in Firefox. We have put a site block in the router on mellowsurvey and engine.spotcenered.info, and got a blocked site pop-up (wanting the password to the router - ha!). Then a while later the browser tab I was reading got hijacked to the below screenshot - and I unplugged the machine. I ran Roguekiller right after that & it didn't find anything. So I'm not comfortable that it's completely gone.
-
H lkbart,
Since no infection is detected, there is little I can do.
What I suggest is to wait if it appears again.
Regards.
-
Thanks for checking for me. I will let you know if it hits me again.
-
Happened again. Attached the Roguekiller scan, & the FRST & Addition scans. And a screenshot of the hijack.
-
Hi lkbart,
The reports are clean again.
Does this only happen with Firefox ?
Regards.
-
It started on Chrome, but I uninstalled it along with all the personal data, and then reinstalled Chrome and the virus came back, so I uninstalled it again and have not reinstalled after I formatted and reinstalled Windows 7 prof. Been using Firefox since then.
-
Hi lkbart,
That's really strange.
Could you please give Malwarebytes Adwcleaner (http://www.adlice.com/documentation/adwcleaner/tutorial/) a try ?
Regards.
-
Downloaded, ran, didn't find anything. Attached the log file. This is crazy.
-
Hi lkbart,
Could you please list the browsers which are redirecting ?
Are other computers on on the same network affected as well ?
Is your router admin panel password weak or default ?
Regards.
-
Firefox, Chrome
No, there are 4 other computers unaffected.
No, it's not default. Not a weak password, probably not terribly strong, but nothing common or a word or anything like that. I am updating it now to a stronger one.
-
Hi lkbart,
This is really unusual.
Could you please confirm that your ISP is Cox Communications ?
Regards.
-
Yes, it is Cox
-
An interesting thing - back in September I got an email from Cox saying that one of our computers may be infected with a virus; we scanned everything and nothing ever showed up, no symptoms, nothing caught in any scans. I called Cox & basically they said that if they thought we had the virus that they could and would shut off our internet, they couldn't tell me how they got the report that we had an infected computer, just said I should go to their website to access their security software (which is McAfee). Never found anything, and never heard back from Cox. And we still have internet. I don't think what I've got is that virus, as it apparently gives redirects in google searches to ads, and I've never had that happen (it just takes over one browser tab that's already open), and I haven't had any programs fail to run. The only part of it that seems to be the same (from the blip I read) is that the services it uses don't show it being infected.
Not sure that this helps, but thought I'd throw it out there if it might. Here's the email from Cox, copied & pasted:
Dear Subscriber,
Cox has identified that one or more of the computers in your home may be infected with the Alureon / TDSS Virus.
Viruses can take control of your PC and gather your personal information such as passwords and credit card numbers, putting your data at risk
The following FREE security tools could help you detect and remove infections from your systems:
The Microsoft Safety Scanner
http://www.microsoft.com/security/scanner/
Norton Power Eraser
http://security.symantec.com/nbrt/npe.aspx
Cox Security Suite Plus powered by McAfee is included FREE with your Cox High Speed Internet service. This software can be used to help protect up-to 5 devices in your home, including Windows and Mac OS computers, and Android and Apple tablets and smartphones.
To get started, simply browse to www.cox.com/securitysuite and login with your Cox primary User ID and Password.
If you already have an Anti-virus solution installed, you should refer to your software manual before installing the Cox Security Suite.
If you need additional support, Cox offers premium technical support at reasonable rates.
Visit Cox Tech Solutions at https://secure.coxtechsolutions.com/ or call 877.TEC.SOLV (832.7658) to get started.
If you would like additional information on the Alureon / TDSS Virus:
http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Virus%3aWin32%2fAlureon.H
If you have any questions regarding this matter, you may call Cox Customer Safety at 800-753-6085.
Regards,
Cox Customer Safety
-
So I've run some additional scans - a couple from the email from Cox, although I can't get the Cox Security Suite to open for me, not sure if this is because of the virus or if Cox's website is just screwed up (won't go there on another computer either, so I think it's their website). I ran the Microsoft Safety Scanner, TDSSkiller, Norton Power Eraser, Rkill, Malwarebytes, Zemana & ComboFix; am attaching the first ComboFix report, mainly because I have no idea how to read it. I ran the ComboFix again, mainly because I opened it to see if there were any options & it just simply runs, so after the second run, it put the reports from the first run in its "Qoobox" folder, those two files are the ones I've attached.
-
Hi lkbart,
ComboFix log is clean.
Did TDSSkiller detect anything ?
Regards.
-
Honestly can't remember right now - it produced 2 logs & I've attached those.
-
So, I bought a new computer (needed more RAM anyway). I can't load any personal information on the infected one without fear of it being compromised, and I'm really not in the mood to share my data with all the scammers out there. Only issue right now is that I have no confidence that the 2 drives that were attached to it are clean. There are no program files on them (or shouldn't be), there are mainly photo files - CR2, JPG, PSD, PNGs, a few GIFs & some BMPs. Also some text , WPD (WordPerfect) & PDFs.
I have read that because photo files contain a space for the metadata, that they could fairly easily be compromised and someone could hide some code in them. What I don't know is if a photo file is hiding code, will the photo still show up like normal? And is there any way to scan these drives for stuff like that? I do have another old computer that I can hook these drives up to, and see if they infect it - it's old and we don't use it, & I'm thinking there's no personal data on it.
The other thing I may do, since the infected computer has a nice SSD, I may format it from DOS or Linux, and then reinstall windows & see what happens. I'm just wondering how well the drive was formatted from the Windows 7 formatting & installation, since it took hardly any time at all for it to format, and installation was a lot quicker than when I did the Windows installation without formatting.
Thoughts on any of this?
-
So, got the new computer hooked up, was using Firefox & the blasted Urgent Firefox Update popped up. I was horrified - I had not plugged any external drives into it and I hadn't been anywhere I would have previously considered to be sketchy. So I did some research on another computer & apparently it is just an ad - a pretty aggressive and malicious looking ad, but is supposed to be stopped by an ad blocker extension. Just search for "Fake Firefox Update". I also installed an ad blocker in Chrome for when I use it since that is where I got the first redirect. I guess that's why the scans never showed anything, because I never clicked on it and let it install anything, I just pulled the plug.
Since I had only been on like 3 sites, I disconnected from the network and checked the history. The only thing it could have come from is: r.search.yahoo.com We have now blocked that site in the router. And I believe I had typed a search in the address bar (I have an email at att.net, and yahoo is in the url), and somehow that had to be what caused this crap. I attached a photo of the history log & I don't read code, but that address can't be legit. So I have sworn off any Yahoo anything on my computers (am thinking maybe I need to replace that email with a different one too)!
Thanks for all your help. I did get a new computer out of the deal! I guess that should make up for some of the extreme frustrations of the past week. lol
-
Hi lkbart,
The TDSSKillers logs were clean as well.
I have read that because photo files contain a space for the metadata, that they could fairly easily be compromised and someone could hide some code in them. What I don't know is if a photo file is hiding code, will the photo still show up like normal? And is there any way to scan these drives for stuff like that? I do have another old computer that I can hook these drives up to, and see if they infect it - it's old and we don't use it, & I'm thinking there's no personal data on it.
Metadatas can be used to install malware using exploits but if your softwares are up to date, it can't happen.
I suggest you to do a full antivirus scan of the drive, so you can be sure it doesn't contain anythins malicious.
The other thing I may do, since the infected computer has a nice SSD, I may format it from DOS or Linux, and then reinstall windows & see what happens. I'm just wondering how well the drive was formatted from the Windows 7 formatting & installation, since it took hardly any time at all for it to format, and installation was a lot quicker than when I did the Windows installation without formatting.
Formating of a SSD drive is a speedy process.
This is perfectly normal.
Since I had only been on like 3 sites, I disconnected from the network and checked the history. The only thing it could have come from is: r.search.yahoo.com We have now blocked that site in the router. And I believe I had typed a search in the address bar (I have an email at att.net, and yahoo is in the url), and somehow that had to be what caused this crap. I attached a photo of the history log & I don't read code, but that address can't be legit. So I have sworn off any Yahoo anything on my computers (am thinking maybe I need to replace that email with a different one too)!
The URL is likely linked to an ad.
I advice you to install an Adblocker on your favorite browsers : uBlock Origin for FireFox (https://addons.mozilla.org/en/firefox/addon/ublock-origin/) and uBlock Origin for Chrome (https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en).
Thanks for all your help. I did get a new computer out of the deal! I guess that should make up for some of the extreme frustrations of the past week. lol
You are welcome.
Yet, I'm really sorry we weren't able to pinpoint the source of the redirections.
Regards.