Reply
Stone Emissary
Cornholio
Posts: 12
Registered: ‎02-11-2012

Re: Persistent Web Threat from http://x-web.in/

[ Edited ]

I didn't press "Fix" yet since you didn't say to.  Should I fix the problems?  It took a very long time to perform a complete scan (about 3 hours).

 

 

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software

Run date: 2012-02-15 18:30:43

-----------------------------

18:30:43.421    OS Version: Windows x64 6.1.7601 Service Pack 1

18:30:43.421    Number of processors: 8 586 0x1A05

18:30:43.421    ComputerName: REDBULLCORNHOLI  UserName: XXXX

18:30:48.601    Initialize success

18:30:51.128    AVAST engine defs: 12021501

18:30:58.195    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

18:30:58.195    Disk 0 Vendor: ST3500320AS SD15 Size: 476940MB BusType: 3

18:30:58.195    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-3

18:30:58.195    Disk 1 Vendor: ST3320620AS 3.AAE Size: 305245MB BusType: 3

18:30:58.210    Disk 2  \Device\Harddisk2\DR2 -> \Device\Scsi\mv61xx1Port4Path0Target0Lun0

18:30:58.210    Disk 2 Vendor: Maxtor_6  Size: 156334MB BusType: 8

18:30:58.210    Device \Driver\atapi -> MajorFunction fffffa8006bf35c4

18:30:58.210    Disk 0 MBR read successfully

18:30:58.210    Disk 0 MBR scan

18:30:58.226    Disk 0 MBR: Pihar-C [Rtk]

18:30:58.226    Disk 0 TDL4@MBR code has been found

18:30:58.226    Disk 0 Windows 7 default MBR code found via API

18:30:58.226    Disk 0 MBR hidden

18:30:58.226    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       476929 MB offset 63

18:30:58.241    Disk 0 MBR [TDL4]  **ROOTKIT**

18:30:58.241    Disk 0 trace - called modules:

18:30:58.241    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8006bf35c4]<<

18:30:58.241    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006600790]

18:30:58.257    3 CLASSPNP.SYS[fffff8800181743f] -> nt!IofCallDriver -> [0xfffffa80062fc4d0]

18:30:58.257    5 ACPI.sys[fffff88000e0b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800630d060]

18:30:58.257    \Driver\atapi[0xfffffa80065a2e70] -> IRP_MJ_CREATE -> 0xfffffa8006bf35c4

18:31:00.269    AVAST engine scan C:\Windows

18:31:21.158    AVAST engine scan C:\Windows\system32

18:38:48.192    AVAST engine scan C:\Windows\system32\drivers

18:39:44.633    AVAST engine scan C:\Users\XXXX

20:26:47.310    AVAST engine scan C:\ProgramData

20:46:35.111    Scan finished successfully

21:20:03.022    Disk 0 MBR has been saved successfully to "C:\Users\XXXX\Documents\MBR.dat"

21:20:03.038    The log file has been saved successfully to "C:\Users\XXXX\Documents\aswMBR 2-15-12.txt"

 

Please use plain text.
Epic Talent
malwarekiller
Posts: 3,835
Registered: ‎08-08-2011

Re: Persistent Web Threat from http://x-web.in/

[ Edited ]

U are infected with TDL4 rootkit...

 

How to fix

  • Re-run aswMBR

  • Click [Scan]

  • On completion of the scan

    Click the [Fix] for TDL4 (MBRoot)


  • After its fixed reboot and run aswmbr again and attach a fresh log.A quick scan is enough.

NEXT

 

Download ComboFix from the any of the locations given in this website:

    • IMPORTANT !!! You need to Save ComboFix.exe to your Desktop
      • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you are still unsure on how to do this, see here
      • Double click on ComboFix.exe & follow the prompts.
      • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
      • If you already have the Recovery Console preinstalled, it will not ask for the following. If it does prompt, allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

      Posted Image

      Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

      Posted Image

      Click Yes, to continue scanning for malware. Please be patient and don't use the PC whilst it is scanning.

      When finished, it shall produce a log for you. Please copy & paste the contents of this log (also found at C:\ComboFix.txt) in your next reply at your topic.
—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
Cornholio
Posts: 12
Registered: ‎02-11-2012

Re: Persistent Web Threat from http://x-web.in/

I fixed and rebooted.  Performed another scan with aswMBR and showed that it was clean except it gave me the option to Fix MBR.  Should I do this before doing the Combofix?  I looked at the Web Threats and it has stopped.  It seems aswMBR fixed the problem.  Also, is there a way to run Combofix without uninstalling TM?  I run Combofix in SafeMode since that is what the instructions require.  In SafeMode, it appears TM is turned off because Windows is not showing that it's running.  However, Combofix says it is.  Whenever I continue with the Combofix scan, I have to re-install TM because it doesn't work after the scan.

 

Here is the log file for aswMBR:

 

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software

Run date: 2012-02-15 21:56:54

 

-----------------------------

 

21:56:54.352    OS Version: Windows x64 6.1.7601 Service Pack 1

21:56:54.352    Number of processors: 8 586 0x1A05

21:56:54.352    ComputerName: REDBULLCORNHOLI  UserName: XXXX

21:56:56.630    Initialize success 21:57:02.932    AVAST engine defs: 12021501

21:57:20.700    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

21:57:20.700    Disk 0 Vendor: ST3500320AS SD15 Size: 476940MB BusType: 3

21:57:20.700    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-7

21:57:20.700    Disk 1 Vendor: ST3320620AS 3.AAE Size: 305245MB BusType: 3

21:57:20.700    Disk 2  \Device\Harddisk2\DR2 -> \Device\Scsi\mv61xx1Port4Path0Target0Lun0

21:57:20.700    Disk 2 Vendor: Maxtor_6  Size: 156334MB BusType: 8

21:57:20.747    Disk 0 MBR read successfully

21:57:20.747    Disk 0 MBR scan

21:57:20.747    Disk 0 Windows 7 default MBR code

21:57:20.762    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       476929 MB offset 63

21:57:20.778    Service scanning

21:57:28.874    Modules scanning 21:57:28.874    Disk 0 trace - called modules:

21:57:29.389    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys 21:57:29.405    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80065ff790]

21:57:29.405    3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> [0xfffffa8006314520]

21:57:29.405    5 ACPI.sys[fffff88000fa67a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800630e060]

21:57:30.621    AVAST engine scan C:\Windows

21:57:36.315    AVAST engine scan C:\Windows\system32

22:03:48.672    AVAST engine scan C:\Windows\system32\drivers

22:04:26.269    AVAST engine scan C:\Users\XXXX

23:05:26.115    AVAST engine scan C:\ProgramData

23:15:24.532    Scan finished successfully

03:12:06.859    Disk 0 MBR has been saved successfully to "C:\Users\XXXX\Documents\MBR.dat"

03:12:06.906    The log file has been saved successfully to "C:\Users\XXXX\Documents\aswMBR 2-16-12.txt"

Please use plain text.
Epic Talent
malwarekiller
Posts: 3,835
Registered: ‎08-08-2011

Re: Persistent Web Threat from http://x-web.in/

[ Edited ]

Please run Combofix in safe mode bypass any warnings..attach the combofix log

 

aswmbr Log is fine now.No need to run it.

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
purdyra
Posts: 5
Registered: ‎11-13-2010

Re: Persistent Web Threat from http://x-web.in/

I am following this very closely, we have the same problem.

On the combo fix, the user emailed me and said it cleaned 100 items but for the remaining 3000 items we have to pay for it.  DOes combofix cost money? let me know and thank you.

 

Also, how come Trend Micro can't remove this?  Its a pain to pay all of this money to Trend for all of our cpus and they don't catch something that has been out there for this long.

Please use plain text.
Stone Emissary
Cornholio
Posts: 12
Registered: ‎02-11-2012

Re: Persistent Web Threat from http://x-web.in/

I ran ComboFix again and attached the log file.  It appears the problem has been fixed. Thanks malwarekiller for all of you help.

Please use plain text.
Epic Talent
malwarekiller
Posts: 3,835
Registered: ‎08-08-2011

Re: Persistent Web Threat from http://x-web.in/

[ Edited ]

Simply delete all tools we used.

 

Well,

 subject to no further problems?

your computer is clean.

Now let me do some tune-ups.

 



Mark this topic as solved...use the options tab of your topic to do so.Select the reply which u think is the solution to your problem..and click on the options tab of that particular reply and select mark as solution.

 

Remove combofix

  • Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  • In the Run box, type in ComboFix /Uninstall(Notice the space between the "x" and "/") then click OK
    Posted Image
  • Follow the prompts on the screen
  • A message should appear confirming that ComboFix was uninstalled


For the first run I would recommend a boot defrag and disk check 



Download and run Puran Disc Defragmenter

 

 

u may use this tool to keep junk temp files away:

http://www.piriform.com/ccleaner/download


 
 Malwarebytes.  Update and run it today also i recommend to run it weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. 

Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

  • Go to this site  and click Do I have Java
  • It will check your current version and then offer to update to the latest version



To manually create a new Restore Point
 

  • Go to Control Panel and select System 
  • Select System
  • On the left select System Protection and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom 
  • Type in a name i.e. Clean
  • Select Create

Now we can purge the infected ones

  • GoStart > All programs > Accessories > system tools 
  • Right click Disc cleanup and select run as administrator
  • Select Your main drive and accept the warning if you get one 
  • For a few moments the system will make some calculations
  • Select the More Options tab
  • In the System Restore and Shadow Backups select Clean up
  • Select Delete on the pop up 
  • Select OK
  • Select Delete.

 

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. 

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?

 

Stay Safe! :smileyhappy:

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Epic Talent
malwarekiller
Posts: 3,835
Registered: ‎08-08-2011

Re: Persistent Web Threat from http://x-web.in/

[ Edited ]

purdyra please make a seperate topic in malware discussion board and i will help u there.

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
Cornholio
Posts: 12
Registered: ‎02-11-2012

Re: Persistent Web Threat from http://x-web.in/

Thanks again malwarekiller!

Please use plain text.
Epic Talent
malwarekiller
Posts: 3,835
Registered: ‎08-08-2011

Re: Persistent Web Threat from http://x-web.in/

No problem!

 

Happy to help!

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.