Re: GOOGLE REDIRECTS TO http://abnow.com

Quads · ‎07-21-2008

I am wondering like another forum where they have had a user get infected 5 times YES 5 times after the system each time is clean, whether it's to to do with the fixed I.P. address, or the PC connects to a infected network.

Both previous times your infections were different, different files and locations etc. Also I had to repair Windows in the second time.

If it is a fully infected zeroaccess again, then a reformat and fresh install does not work.

It doesn't take that long hahaha, takes longer then me at a PC removing Malware and especially when you do all of the reformat and fresh installs and find [bleeps] I still have zeroaccess or mebroot.

The other theory is to do with the way Symantec (Norton) detects any files of certain malware families, at times when Norton detects a file it also grabs the registry keys even when it's a NO, and asks for a Restart, for a dormant file, but the registry keys get altered anyway causing problems.

Quads

shevo11 · ‎03-14-2012

I understand very little, what do you suggest me to do?

Quads · ‎07-21-2008

I asked you to look up the history

I need the file names of all the Trojans it found also, one is

The file that the active scan found was

file ntos

location C:\Windows\system32

action left unchanged"

The Files it detected last time on the restart were from the Combofix quarantine folder.

Error - 26/03/2012 07:38:20 a.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Zeroaccess in File: C:\Qoobox\Quarantine\C\Documents
and Settings\admin\Configuración local\Datos de programa\69c3a23e\U\00000001.@.vir
by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: The file
was deleted successfully.

Error - 26/03/2012 07:38:22 a.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan Horse in File: C:\Qoobox\Quarantine\C\Documents
and Settings\admin\Configuración local\Datos de programa\69c3a23e\U\000000c0.@.vir
by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description:
The file was quarantined successfully.

Error - 26/03/2012 07:38:23 a.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen.2 in File: C:\Qoobox\Quarantine\C\Documents
and Settings\admin\Configuración local\Datos de programa\69c3a23e\U\80000000.@.vir
by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description:
The file was quarantined successfully.

Error - 26/03/2012 07:38:23 a.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen.2 in File: C:\Qoobox\Quarantine\C\Documents
and Settings\admin\Configuración local\Datos de programa\69c3a23e\U\800000c0.@.vir
by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description:
The file was quarantined successfully.

Error - 26/03/2012 07:38:24 a.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan Horse in File: C:\Qoobox\Quarantine\C\Documents
and Settings\admin\Configuración local\Datos de programa\69c3a23e\U\800000cf.@.vir
by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description:
The file was quarantined successfully.

Quads

shevo11 · ‎03-14-2012

How can i look up the history?

Quads · ‎07-21-2008

Run OTL while I look that question up and post the 2 logs it gives.

Also when trying to start in Normal mode how how far along does it load.

Quads

Quads · ‎07-21-2008

For others,

It is actually not really that surprising people around are getting reinfected by these groups of malware as the creators are active.

Since around the begining of March (approx.) I have 207 samples of Mebroot alone for this month from websites, so if a user only got infected by 10 of the 207 samples that is still 10 times.

Let alone the other active groups like zeroaccess, pihar, MaxSS etc.

Quads

shevo11 · ‎03-14-2012

Quads · ‎07-21-2008

It looks like Symantec did it's job, it removed the files. although it looks like there may be a problem with Symantec and another driver causing an eror for whatever reason

Symantec detections and errors with 2 files not being able to be removed Blue = Good Red = still to sort out Green = In Memory

Error - 29/03/2012 11:59:09 a.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan Horse in File: C:\Documents and Settings\admin\Configuración
local\Datos de programa\69c3a23e\U\800000cf.$ by: Auto-Protect scan. Action: Quarantine
succeeded : Access denied. Action Description: The file was quarantined successfully.

Error - 29/03/2012 11:59:09 a.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen.2 in File: C:\Documents and Settings\admin\Configuración
local\Datos de programa\69c3a23e\U\800000c0.$ by: Auto-Protect scan. Action: Quarantine
succeeded : Access denied. Action Description: The file was quarantined successfully.

Error - 29/03/2012 11:59:10 a.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Zeroaccess!inf in File: C:\WINDOWS\system32\AsuhfivrO.dll
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: The file was left unchanged.

Error - 29/03/2012 11:59:38 a.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Zeroaccess!inf in File: C:\WINDOWS\system32\DS1410D.dll
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: The file was left unchanged.

Error - 29/03/2012 12:00:38 p.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Zeroaccess!inf in File: C:\WINDOWS\system32\cfsvcs.dll
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: The file was left unchanged.

Error - 29/03/2012 12:20:41 p.m. | Computer Name = BANGHOPREMIUM | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

Error - 29/03/2012 12:34:16 p.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Zeroaccess!kmem in File: c:\windows\system32\ntos
by: Manual scan. Action: Clean failed : Quarantine failed. Action Description:
The file was left unchanged.

Error - 29/03/2012 12:57:42 p.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Zeroaccess!kmem in File: c:\windows\system32\ntos
by: Manual scan. Action: Clean failed : Quarantine failed. Action Description:
The file was left unchanged.

Error - 29/03/2012 03:27:51 p.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Zeroaccess!kmem in File: c:\windows\system32\ntos
by: Manual scan. Action: Clean failed : Quarantine failed. Action Description:
The file was left unchanged.

Error - 29/03/2012 05:42:26 p.m. | Computer Name = BANGHOPREMIUM | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Zeroaccess!kmem in File: c:\windows\system32\ntos
by: Manual scan. Action: Clean failed : Quarantine failed. Action Description:
The file was left unchanged.

[ System Events ]
Error - 29/03/2012 12:20:38 p.m. | Computer Name = BANGHOPREMIUM | Source = DCOM | ID = 10005
Description = DCOM ha obtenido un error "%1084" al intentar iniciar el servicio
LiveUpdate con argumentos "" para ejecutar el servidor: {03E0E6C2-363B-11D3-B536-00902771A435}

Error - 29/03/2012 12:21:36 p.m. | Computer Name = BANGHOPREMIUM | Source = Service Control Manager | ID = 7026
Description = El controlador de inicialización siguiente no se cargó correctamente:
eeCtrl Fips intelppm SPBBCDrv sptd SRTSP SRTSPX SYMTDI

Error - 29/03/2012 12:21:40 p.m. | Computer Name = BANGHOPREMIUM | Source = DCOM | ID = 10005
Description = DCOM ha obtenido un error "%1084" al intentar iniciar el servicio
StiSvc con argumentos "" para ejecutar el servidor: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 29/03/2012 12:26:33 p.m. | Computer Name = BANGHOPREMIUM | Source = DCOM | ID = 10005
Description = DCOM ha obtenido un error "%1084" al intentar iniciar el servicio
EventSystem con argumentos "" para ejecutar el servidor: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 29/03/2012 12:29:03 p.m. | Computer Name = BANGHOPREMIUM | Source = sptd | ID = 262148
Description = El controlador detectó un error interno en la estructura de datos
de .

Error - 29/03/2012 12:30:16 p.m. | Computer Name = BANGHOPREMIUM | Source = DCOM | ID = 10005
Description = DCOM ha obtenido un error "%1084" al intentar iniciar el servicio
EventSystem con argumentos "" para ejecutar el servidor: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 29/03/2012 12:30:25 p.m. | Computer Name = BANGHOPREMIUM | Source = DCOM | ID = 10005
Description = DCOM ha obtenido un error "%1084" al intentar iniciar el servicio
EventSystem con argumentos "" para ejecutar el servidor: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 29/03/2012 12:32:05 p.m. | Computer Name = BANGHOPREMIUM | Source = SRTSP | ID = 524292
Description = Error loading virus definitions.

Error - 29/03/2012 12:32:05 p.m. | Computer Name = BANGHOPREMIUM | Source = SRTSP | ID = 524293
Description = Error loading Symantec real time Anti-Virus driver.

Error - 29/03/2012 12:32:06 p.m. | Computer Name = BANGHOPREMIUM | Source = Service Control Manager | ID = 7026
Description = El controlador de inicialización siguiente no se cargó correctamente:
SRTSP