redirected from an MSN link

  • Thread starter Thread starter Chris
  • Start date Start date
C

Chris

Thanks for your help in advance.
I understand that one should post one problem at a time but this all started
at the very same time.
Everything was working fine until this incident.
Yesterday morning my gf was surfing around. She says she clicked on a link
on a MSN page. A box came up and said “you are being redirectedâ€. Our
antivirus then popped up listing a couple files it had deleted and noted a
couple of files that were infected but could not be deleted. The computer
has not been able to connect and browse the internet since. There are also a
couple other funky things going on with the machine since that incident.
WinXP Pro, IE7, nFORCE4M-A motherboard, 1 gig ram, 1.2 ghz duron, computer
associate’s antivirus, on a small home network. other machines on the home
network work fine and browse with no problem.

As mentioned, the machine will not connect to the internet. Also, system
restore is non functioning. I can change display and toolbar settings but
upon rebooting the changes are lost. It is extremely slow in booting now and
once booted even when ideal the HD light indicates there is activity on the
HD. And windows no longer recognizes devices plugged into the usb ports.

System restore will not work in either safe or normal mode. I can not turn
system restore off. When I try to access system restore in safe mode I get
the message “system restore is not turned on and can not be accessed in safe
modeâ€. When I try system restore in safe mode with a command prompt
(%systemroot%\system32\restore\rstrui.exe) I get the same message. Even
though system restore has been on for months there are no restore points
shown when I go to programs/accessories/system tools/system tools.

I have uninstalled and reinstalled the network/network components.

When the machine boots I get the error message “there was a problem opening
zzpnfq4.exe…†I found zzpnfq4.exe in the system32 dir and removed it. I
also removed any reference to zzpnfq4.exe from the registry. The issues
continued unchanged. I also was not able to find any reference to
zzpnfq4.exe anywhere on the web.

When I shut the machine down an error message come up referencing
“matask32….â€. that’s all I can get of the error message because it flashes
by so fast.

I am open to suggestions and am willing to provide any more info that might
be helpful.

thanks again,
Chris
 
Your system is infected with either or both malaware and a virus.
Try this, as copied from an earlier post;
--------------------------------------


Two part reply..

Perform Part 1 then perform Part 2.

If the first two parts don't work, perform the alternate section.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.



Part 1
-----------

Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool --
SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic43659.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan,
it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However,
if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will
have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown
in your bowser
but your PC will automatically be shutdown. It is suggested that you move
the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a
copy of the HTML
report for each session.


ALTERNATE:

S!ri's SmitfraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php


Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your
reply.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


"Chris" <Chris@discussions.microsoft.com> wrote in message
news:EC629D08-F499-4BC3-879B-F368109C07DD@microsoft.com...
> Thanks for your help in advance.
> I understand that one should post one problem at a time but this all
> started
> at the very same time.
> Everything was working fine until this incident.
> Yesterday morning my gf was surfing around. She says she clicked on a
> link
> on a MSN page. A box came up and said "you are being redirected". Our
> antivirus then popped up listing a couple files it had deleted and noted a
> couple of files that were infected but could not be deleted. The computer
> has not been able to connect and browse the internet since. There are
> also a
> couple other funky things going on with the machine since that incident.
> WinXP Pro, IE7, nFORCE4M-A motherboard, 1 gig ram, 1.2 ghz duron, computer
> associate's antivirus, on a small home network. other machines on the
> home
> network work fine and browse with no problem.
>
> As mentioned, the machine will not connect to the internet. Also, system
> restore is non functioning. I can change display and toolbar settings but
> upon rebooting the changes are lost. It is extremely slow in booting now
> and
> once booted even when ideal the HD light indicates there is activity on
> the
> HD. And windows no longer recognizes devices plugged into the usb ports.
>
> System restore will not work in either safe or normal mode. I can not
> turn
> system restore off. When I try to access system restore in safe mode I
> get
> the message "system restore is not turned on and can not be accessed in
> safe
> mode". When I try system restore in safe mode with a command prompt
> (%systemroot%\system32\restore\rstrui.exe) I get the same message. Even
> though system restore has been on for months there are no restore points
> shown when I go to programs/accessories/system tools/system tools.
>
> I have uninstalled and reinstalled the network/network components.
>
> When the machine boots I get the error message "there was a problem
> opening
> zzpnfq4.exe." I found zzpnfq4.exe in the system32 dir and removed it. I
> also removed any reference to zzpnfq4.exe from the registry. The issues
> continued unchanged. I also was not able to find any reference to
> zzpnfq4.exe anywhere on the web.
>
> When I shut the machine down an error message come up referencing
> "matask32..". that's all I can get of the error message because it
> flashes
> by so fast.
>
> I am open to suggestions and am willing to provide any more info that
> might
> be helpful.
>
> thanks again,
> Chris
>
 
"Chris" wrote:

> Thanks for your help in advance.
> I understand that one should post one problem at a time but this all started
> at the very same time.
> Everything was working fine until this incident.
> Yesterday morning my gf was surfing around. She says she clicked on a link
> on a MSN page. A box came up and said “you are being redirectedâ€. Our
> antivirus then popped up listing a couple files it had deleted and noted a
> couple of files that were infected but could not be deleted. The computer
> has not been able to connect and browse the internet since. There are also a
> couple other funky things going on with the machine since that incident.
> WinXP Pro, IE7, nFORCE4M-A motherboard, 1 gig ram, 1.2 ghz duron, computer
> associate’s antivirus, on a small home network. other machines on the home
> network work fine and browse with no problem.
>
> As mentioned, the machine will not connect to the internet. Also, system
> restore is non functioning. I can change display and toolbar settings but
> upon rebooting the changes are lost. It is extremely slow in booting now and
> once booted even when ideal the HD light indicates there is activity on the
> HD. And windows no longer recognizes devices plugged into the usb ports.
>
> System restore will not work in either safe or normal mode. I can not turn
> system restore off. When I try to access system restore in safe mode I get
> the message “system restore is not turned on and can not be accessed in safe
> modeâ€. When I try system restore in safe mode with a command prompt
> (%systemroot%\system32\restore\rstrui.exe) I get the same message. Even
> though system restore has been on for months there are no restore points
> shown when I go to programs/accessories/system tools/system tools.
>
> I have uninstalled and reinstalled the network/network components.
>
> When the machine boots I get the error message “there was a problem opening
> zzpnfq4.exe…†I found zzpnfq4.exe in the system32 dir and removed it. I
> also removed any reference to zzpnfq4.exe from the registry. The issues
> continued unchanged. I also was not able to find any reference to
> zzpnfq4.exe anywhere on the web.
>
> When I shut the machine down an error message come up referencing
> “matask32….â€. that’s all I can get of the error message because it flashes
> by so fast.
>
> I am open to suggestions and am willing to provide any more info that might
> be helpful.
>
> thanks again,
> Chris



Hi Chris,
I think you have the latest of Troj/Bifrose-?? , you will need an off-line
scanner to scan an isolate this pest.

It locate it self here C:\Windows\System32\mstask32.exe and gain/schedule
to start on start up and gain control on your system ,thus Unabling you to
gain control or perform some tasks.

BKDR_BIFROSE.CI
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_BIFROSE.CI
Backdoor.Win32.Bifrose.d
http://www.symantec.com/security_response/writeup.jsp?docid=2004-101214-5358-99&tabid=3

mstask32.exe- Added by the YAHA.P WORM or Troj/Loony-D
http://www.greatis.com/appdata/d/m/mstask32.exe.htm

Go through these Cleaning steps:
1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Tabs:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256
Scan for malware from here:
Spybot Search & Destroy
http://www.safer-networking.org/en/download/index.html
Try Spybot S&D after as it will need to download the definitions and it will
scan your system until it update itself (hence no connection you cannot)
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
RootkitRevealer v1.71
By Bryce Cogswell and Mark Russinovich
http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx

Download Avast Cleaner (off-line scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Lots of tools to download and disinfect your machine (off-line scanner):
http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/

After the scan run disk cleanup on your drive.

Open a run command and type in:
ipconfig /flushdns click [OK]
ipconfig /renew click [OK]
netsh winsock reset click [Ok]
Reboot your system and see if you can connect, if you will try to scan from
an online scanner like:
Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

2- Download the Hijackthis and send the report to one of many
forums for analysis and troubleshooting:
http://www.merijn.org/index.php
When all else fails, HijackThis v2.0.2
(http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis) is
the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.
HTH.
Let us know how it is going.
nass
----
http://www.nasstec.co.uk
 
Back
Top