thefeedonline redirect of window ie8 and foxfire! virus!

stacey1968 · ‎09-27-2009

here we go... i have been dealing with this for a week now.

norton finds nothing now. but found a virus called TROJAN HORSE and cleaned it on the 20th.

Malwarebytes finds the following:

Malwarebytes' Anti-Malware 1.41

Database version: 2861

Windows 5.1.2600 Service Pack 3

9/27/2009 3:36:53 PM

mbam-log-2009-09-27 (15-36-53).txt

Scan type: Full Scan (C:\|D:\|K:\|)

Objects scanned: 346225

Time elapsed: 3 hour(s), 18 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\calc.dll (Backdoor.Bot) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Backdoor.Bot) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Downloader) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\calc.dll (Backdoor.Bot) -> Delete on reboot.

C:\Documents and Settings\HP_Administrator.WALKERFAMILY\protect.dll (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Administrator.WALKERFAMILY\Start Menu\Programs\Startup\scandisk.dll (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\protect.dll (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP187\A0048796.dll (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Administrator.WALKERFAMILY\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Administrator.WALKERFAMILY\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.

Big issue is after I reboot. The are still there...

I can't even get to safemode to try running programs here.

I really need some help.

I get redirected when I try to click on links in sites. I am unable to log in into https:// sites.

Help please...

Stacey

Quads · ‎07-21-2008

Hi

1. What programs have you used?

2. What rogue software came in or tried to come in??

Quads

stacey1968 · ‎09-27-2009

Nothing that I know of... I was working the Microsoft on the issue of after updating to the latest upgrade to IE8 and additional adds from them. After the update I unable to get to https:// sites. Anything with a password word would just reset the page. If I selected a link it would redirect with thefeedonline.com and a search engine. I know it's strange. But that is what happen... Any ideas on how to fix it?

Stacey

Message Edited by stacey1968 on 09-27-2009 07:41 PM

Quads · ‎07-21-2008

Hi

Download GMER and do a scan, then create a log, just to check if there is a background Rootkit

http://www.gmer.net/

Quads

stacey1968 · ‎09-27-2009

thanks for responding...

running now...

it may take a while...

i will reply with attachment.

stacey

stacey1968 · ‎09-27-2009

System crash.

I will post later today if I can.

Stacey

Boofo · ‎11-16-2008

I found these 2 pages on a couple of the items you have.

calc.dll (Malicious Software)
http://info.prevx.com/aboutprogramtext.asp?PX5=FEFD92D200D7E13458C50067F740620075E524F1

protect.dll (Rootkit)
http://www.prevx.com/filenames/16023302822361271-X1/PROTECT.DLL.html

Message Edited by Boofo on 09-28-2009 09:21 AM

~ How do I un-overwrite all my data? ~

Quads · ‎07-21-2008

Hi Stacey

Try a scan where just on the upper right hand side the "Services" and "Registry" are selected

Quads

Quads · ‎07-21-2008

Boofo

I know what they are, It's a matter of if anything else is in behind them so that is all in a combination or if that is all. sometimes the grouping even comes with Virut.

Quads