redirected from an MSN link

[Chris]

Thanks for your help in advance.
I understand that one should post one problem at a time but this all started
at the very same time.
Everything was working fine until this incident.
Yesterday morning my gf was surfing around. She says she clicked on a link
on a MSN page. A box came up and said “you are being redirectedâ€. Our
antivirus then popped up listing a couple files it had deleted and noted a
couple of files that were infected but could not be deleted. The computer
has not been able to connect and browse the internet since. There are also a
couple other funky things going on with the machine since that incident.
WinXP Pro, IE7, nFORCE4M-A motherboard, 1 gig ram, 1.2 ghz duron, computer
associate’s antivirus, on a small home network. other machines on the home
network work fine and browse with no problem.

As mentioned, the machine will not connect to the internet. Also, system
restore is non functioning. I can change display and toolbar settings but
upon rebooting the changes are lost. It is extremely slow in booting now and
once booted even when ideal the HD light indicates there is activity on the
HD. And windows no longer recognizes devices plugged into the usb ports.

System restore will not work in either safe or normal mode. I can not turn
system restore off. When I try to access system restore in safe mode I get
the message “system restore is not turned on and can not be accessed in safe
modeâ€. When I try system restore in safe mode with a command prompt
(%systemroot%\system32\restore\rstrui.exe) I get the same message. Even
though system restore has been on for months there are no restore points
shown when I go to programs/accessories/system tools/system tools.

I have uninstalled and reinstalled the network/network components.

When the machine boots I get the error message “there was a problem opening
zzpnfq4.exe…†I found zzpnfq4.exe in the system32 dir and removed it. I
also removed any reference to zzpnfq4.exe from the registry. The issues
continued unchanged. I also was not able to find any reference to
zzpnfq4.exe anywhere on the web.

When I shut the machine down an error message come up referencing
“matask32….â€. that’s all I can get of the error message because it flashes
by so fast.

I am open to suggestions and am willing to provide any more info that might
be helpful.

thanks again,
Chris

 

[DL]

Your system is infected with either or both malaware and a virus.
Try this, as copied from an earlier post;
--------------------------------------


Two part reply..

Perform Part 1 then perform Part 2.

If the first two parts don't work, perform the alternate section.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.



Part 1
-----------

Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool --
SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic43659.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan,
it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However,
if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will
have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown
in your bowser
but your PC will automatically be shutdown. It is suggested that you move
the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a
copy of the HTML
report for each session.


ALTERNATE:

S!ri's SmitfraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php


Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your
reply.

* * * Please report back your results * * *

 

[Sister Mary]

Thanks for your help in advance.
I understand that one should post one problem at a time but this all
started
at the very same time.
Everything was working fine until this incident.
Yesterday morning my gf was surfing around. She says she clicked on a
link
on a MSN page. A box came up and said "you are being redirected". Our
antivirus then popped up listing a couple files it had deleted and noted a
couple of files that were infected but could not be deleted.

I suspect a lot more happened than just being redirected.

Snipped>

When the machine boots I get the error message "there was a problem
opening
zzpnfq4.exe."

That appears to be a variant of FQ4.executable.
zzpnfq is a notorious Chinnese gay porn grab site,
you can google it if you want, but don't open any of
the results/links that google produces.
If It is the executable, removing after it has executed is like
closing the stable doors after the horse has bolted.


I found zzpnfq4.exe in the system32 dir and removed it. I

also removed any reference to zzpnfq4.exe from the registry. The issues
continued unchanged. I also was not able to find any reference to
zzpnfq4.exe anywhere on the web.

When I shut the machine down an error message come up referencing
"mastask32". that's all I can get of the error message because it flashes
by so fast.

I suspect it is a variant of the password stealer mstask32.exe
Google: "mstask32" for full information.

I am open to suggestions and am willing to provide any more info that
might
be helpful.

thanks again,
Chris

From your description, it was more than being re-directed,
someone has clicked to agree/download/install naughties?
There appears to be severe and deep corruption.
Do you have an XP installation disc?

Recovery console
http://support.microsoft.com/kb/314058

How to install and use recovery console:
http://support.microsoft.com/kb/307654

Try: "Last known good configuration"
http://www.webtree.ca/windowsxp/repair_xp.htm#How to access Last Known Good Configuration:

Recovery from Command prompt
http://www.webtree.ca/windowsxp/repair_xp.htm#How to access the Recovery Console:

Repair install - you need the XP disc
http://www.webtree.ca/windowsxp/rep...s XP by Installing Over top of Existing Setup:

 

[nass]

Thanks for your help in advance.
I understand that one should post one problem at a time but this all started
at the very same time.
Everything was working fine until this incident.
Yesterday morning my gf was surfing around. She says she clicked on a link
on a MSN page. A box came up and said “you are being redirectedâ€. Our
antivirus then popped up listing a couple files it had deleted and noted a
couple of files that were infected but could not be deleted. The computer
has not been able to connect and browse the internet since. There are also a
couple other funky things going on with the machine since that incident.
WinXP Pro, IE7, nFORCE4M-A motherboard, 1 gig ram, 1.2 ghz duron, computer
associate’s antivirus, on a small home network. other machines on the home
network work fine and browse with no problem.

As mentioned, the machine will not connect to the internet. Also, system
restore is non functioning. I can change display and toolbar settings but
upon rebooting the changes are lost. It is extremely slow in booting now and
once booted even when ideal the HD light indicates there is activity on the
HD. And windows no longer recognizes devices plugged into the usb ports.

System restore will not work in either safe or normal mode. I can not turn
system restore off. When I try to access system restore in safe mode I get
the message “system restore is not turned on and can not be accessed in safe
modeâ€. When I try system restore in safe mode with a command prompt
(%systemroot%\system32\restore\rstrui.exe) I get the same message. Even
though system restore has been on for months there are no restore points
shown when I go to programs/accessories/system tools/system tools.

I have uninstalled and reinstalled the network/network components.

When the machine boots I get the error message “there was a problem opening
zzpnfq4.exe…†I found zzpnfq4.exe in the system32 dir and removed it. I
also removed any reference to zzpnfq4.exe from the registry. The issues
continued unchanged. I also was not able to find any reference to
zzpnfq4.exe anywhere on the web.

When I shut the machine down an error message come up referencing
“matask32….â€. that’s all I can get of the error message because it flashes
by so fast.

I am open to suggestions and am willing to provide any more info that might
be helpful.

thanks again,
Chris

Hi Chris,
I think you have the latest of Troj/Bifrose-?? , you will need an off-line
scanner to scan an isolate this pest.

It locate it self here C:\Windows\System32\mstask32.exe and gain/schedule
to start on start up and gain control on your system ,thus Unabling you to
gain control or perform some tasks.

BKDR_BIFROSE.C
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_BIFROSE.CI
Backdoor.Win32.Bifrose.
http://www.symantec.com/security_response/writeup.jsp?docid=2004-101214-5358-99&tabid=3

mstask32.exe- Added by the YAHA.P WORM or Troj/Loony-D
http://www.greatis.com/appdata/d/m/mstask32.exe.htm

Go through these Cleaning steps:
1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Tabs:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256
Scan for malware from here:
Spybot Search & Destroy
http://www.safer-networking.org/en/download/index.html
Try Spybot S&D after as it will need to download the definitions and it will
scan your system until it update itself (hence no connection you cannot)
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
RootkitRevealer v1.71
By Bryce Cogswell and Mark Russinovich
http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx

Download Avast Cleaner (off-line scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Lots of tools to download and disinfect your machine (off-line scanner):
http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/

After the scan run disk cleanup on your drive.

Open a run command and type in:
ipconfig /flushdns click [OK]
ipconfig /renew click [OK]
netsh winsock reset click [Ok]
Reboot your system and see if you can connect, if you will try to scan from
an online scanner like:
Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

2- Download the Hijackthis and send the report to one of many
forums for analysis and troubleshooting:
http://www.merijn.org/index.php
When all else fails, HijackThis v2.0.2
(http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis) is
the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.
HTH.
Let us know how it is going.
nass