Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Internet Browser Malware?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Internet Browser Malware?

Unread postby luckyguy457321 » October 11th, 2012, 5:25 am

is there more than one computer connected to your home network, and if there is, are any of the other computers having problem connecting their browsers ?

No, none of them are having problems. Just the single computer.

The GMER scan is still running, it's finished the C: drive and is on to the D: drive, ZoneAlarm stuff appeared on the list.
Here is a copy button of the GMER scan so far:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-10-11 17:23:39
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_HD250HJ rev.FH100-06
Running: t12ubzby.exe; Driver: C:\DOCUME~1\Admin\LOCALS~1\Temp\pgtdypow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwDeleteKey [0xF1AAC3E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwDeleteValueKey [0xF1AAC340]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwLoadKey [0xF1AAC460]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwReplaceKey [0xF1AAC510]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwRestoreKey [0xF1AAC590]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.) ZwSetValueKey [0xF1AAC290]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF4A93360, 0x348C87, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[716] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 01531102 C:\Program Files\Unlocker\UnlockerHook.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F1A9CA30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F1A9CC80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F1A9CDC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F1A9CB90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F1A9CB90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F1A9CA30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F1A9CC80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F1A9CDC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F1A9CA30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F1A9CB90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F1A9CDC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F1A9CC80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F1A9CDC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F1A9CC80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F1A9CA30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F1A9CB90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F1A9CA30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F1A9CC80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F1A9CDC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F1A9CA30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F1A9CB90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F1A9CDC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F1A9CC80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs VET-FILT.SYS

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat VET-FILT.SYS
AttachedDevice \FileSystem\Fastfat \Fat VET-REC.SYS
luckyguy457321
Regular Member
 
Posts: 56
Joined: September 2nd, 2009, 10:16 am
Location: Perth,Western Australia
Advertisement
Register to Remove

Re: Internet Browser Malware?

Unread postby Gary R » October 11th, 2012, 6:50 am

OK, first of all there's still a remnant of Zone Alarm to remove.

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:OTL
DRV - [2004/07/14 05:09:22 | 000,270,672 | ---- | M] (Zone Labs Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)


  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

See if you can connect now

If you can, let me know, if not .....

Next

The fact that the other computers on your Network can connect tells us that the problem is not with your router configuration, or due to any problems at the server end, which only really leaves us with misconfigured browsers.

Can you try uninstalling one of your browsers and re-installing a clean copy ? Try Firefox, since it's a fairly small download and I'm more familiar with it than IE or Chrome.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21866
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Internet Browser Malware?

Unread postby luckyguy457321 » October 11th, 2012, 7:32 am

After running OTL with the command, it asked me to restart, which I did.
After that I uninstalled Firefox and installed the latest version 15.0.1 from the site.
Firefox couldn't connect to google.com or the other two browsers.
Here is the log that appeared after the reboot:

OTL's 10112012_192101.log
========== OTL ==========
Error: Unable to stop service vsdatant!
Unable to delete service\driver key vsdatant.
File move failed. C:\WINDOWS\system32\vsdatant.sys scheduled to be moved on reboot.

OTL by OldTimer - Version 3.2.69.0 log created on 10112012_192101

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\system32\vsdatant.sys scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
luckyguy457321
Regular Member
 
Posts: 56
Joined: September 2nd, 2009, 10:16 am
Location: Perth,Western Australia

Re: Internet Browser Malware?

Unread postby Gary R » October 11th, 2012, 9:31 am

Looks like vsdatant wasn't removed by OTL, let's try another tool.

Download Avenger by Swandog and unzip it to your Desktop.

  • Open the Avenger folder and double click Avenger.exe to launch the programme.
  • Copy the text in the code box below and Paste it into the Input script here: box.
Code: Select all
Drivers to delete:
vsdatant

Files to delete:
C:\WINDOWS\system32\vsdatant.sys


  • Ensure the following:
    • Scan for Rootkits is checked.
    • Automatically disable any rootkits found is Unchecked.
  • Press the Execute key.
  • Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
  • Post the log back here please. (it can also be found at C:\avenger.txt)
User avatar
Gary R
Administrator
Administrator
 
Posts: 21866
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Internet Browser Malware?

Unread postby luckyguy457321 » October 11th, 2012, 9:45 am

Oh yay, it worked, the internet works again, on all three browsers.
Thank you so much!

Here is the log:
avengers.txt
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "vsdatant" deleted successfully.
File "C:\WINDOWS\system32\vsdatant.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
luckyguy457321
Regular Member
 
Posts: 56
Joined: September 2nd, 2009, 10:16 am
Location: Perth,Western Australia

Re: Internet Browser Malware?

Unread postby Gary R » October 11th, 2012, 12:15 pm

Thank god for that ... Image ... I was beginning to think I'd lost it, I was certainly starting to run short on ideas. ;)

OK, well now you've got Internet access back, we need to get an Anti-Virus and Firewall installed on your computer as quickly as possible.

If you want to risk a clean install of Zone Alarm, then go ahead and install it now.

If you're worried that it might go wrong again and cause the same problem we've just been working on for so long, then you could try using some of the free programs on the following page .... viewtopic.php?p=557965#p557965

Time for a little housekeeping, to get rid of the programs we've been using on your machine.

First

Let's clear out OTL and the files and folders it created. This will also remove SystemLook, GMER, TDSSKiller, Avenger.
  • Double click OTL.exe to launch the programme.
  • Click on the CleanUp! button.
  • OTL will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
  • You will be prompted to allow the clean up procedure, click Yes
  • When finished exit out of OTL
  • Now delete OTL.exe (if still present).

Next

Please delete the following ....

CKScanner
MGADiagnostic
Farbar Service Scanner
MiniToolbox
aswMBR
any remaining log files that have not been removed.


As far as I can see, your computer looks clear of infection now.

Are you still noticing any problems ?
  • If you are let me know about them.
  • If not it's time to make your computer more secure.

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.

If your computer is running slowly after your clean up, please read.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21866
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Internet Browser Malware?

Unread postby luckyguy457321 » October 12th, 2012, 3:47 am

I ran the clean up button in OTL. It also deleted CKScanner Farbar Service Scanner and MiniToolbox. I deleted the rest of the applications from the desktop.
I was thinking about installing the Online Armor Firewall, Avast! Free Antivirus and Malwarebytes' Anti-Malware.
Is it alright to install those software together?
Also, which hosts file do you recommend using, or should I not use one at all?
Well, I'm really glad it turned out not to be Malware, although I was really convinced that it was, that's why I came here.
Thanks for your help.

Edit: Is there a difference between an Anti Malware and Anti Virus?
Edit: Is an Anti Malware scanning when you ask it or set it to Anti Virus scans all the time?
luckyguy457321
Regular Member
 
Posts: 56
Joined: September 2nd, 2009, 10:16 am
Location: Perth,Western Australia

Re: Internet Browser Malware?

Unread postby Gary R » October 12th, 2012, 4:57 am

You're welcome, glad I could help :).

Online Armor, Avast and Malwarebytes is a good basic protection setup. They won't interfere with each other.

The difference between an Anti-Virus scanner and an Anti-Malware scanner is primarily in what they look for. An Anti-Malware is really just a scan that has been optimised to look for trojans and worms as opposed to the other forms of computer infection. Anti-Virus scanners are more wide ranging. Most modern Anti-Virus programs include some Anti-Malware functionality, it's just that they're not very good at it, so we advise including a separate Anti-Malware scan in your defences.

The free version of Malwarebytes does not include "real time" scanning, it is an on-demand scan only, so you just run it when you feel you need to. The paid version does include RT scanning.

As far as Hosts files are concerned, personally I use the MVPS Hosts file .... http://winhelp2002.mvps.org/hosts.htm .... which is updated fairly often (you need to check manually) and has never caused me any problems.

Hope that answers your questions.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21866
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Internet Browser Malware?

Unread postby luckyguy457321 » October 12th, 2012, 5:08 am

Thanks for your help Gary!
luckyguy457321
Regular Member
 
Posts: 56
Joined: September 2nd, 2009, 10:16 am
Location: Perth,Western Australia

Re: Internet Browser Malware?

Unread postby Gary R » October 12th, 2012, 6:57 am

You're welcome.

Keep safe.

Gary

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21866
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 41 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware