Greetings; I'm having serious problems with a virus on my machine, and I'm hoping someone can provide assistance or guidance to help me clean it out. I tried to do the 8 steps indicated here, but have had a couple of problems. I can't access update.microsoft.com, and the DDS seems to hang and I'm not sure what is blocking it. GMER runs, but it gives one set of messages when it comes up, and then when I follow the instructions it starts a complete system scan ... after 1.5 days it still wasn't done scanning files, so I'm not sure if I did something wrong; I'm including the output it gave when I started it, and the output it had generated by the time I terminated it. Clearly Norton Internet Security with it's own firewall and AV didn't do me much good.
Symptoms:
svchost.exe shows repeated attempts to connect to hosts in the following networks:
61.61.20.135:443 (and other hosts in this network as well)
91.212.226.7:443 (and other hosts in this network as well)
213.163.89.104:80 (and other hosts in this network as well)
if Firefox or IE are running, they show repeated attempts to connect to hosts in this network: 213.163.89.104:80 (and other hosts in this network as well)
ZoneAlarm (installed after infection started) shows svchost as the process trying to connect; if FireFox or IE are running, they also try to connect to
ZoneAlarm sometimes gets turned off (?)
Outlook does not completely exit when I quit the program; the icon remains in the systray - this never happened before
I cannot reach update.microsoft.com; it appears that the virus is blocking access to this and other sites
For some weeks I have had a noticeable increase in phishing emails, and some of the emails are getting good ...
I experienced a credit card breach with the card that I use for online transactions - fortunately, the bank caught it and the card is now disabled.
very slow boot process
Firefox and IE take forever to initialize when started
inconsistent behavior - on one reboot Symantec (Norton Internet Security) failed to initialize and reported an error in startup; Firefox or IE close without warning; ZoneAlarm somehow exits without warning
Firefox hangs and a black script execution screen comes up; then error message saying that a script has failed on this page ...
Malwarebytes log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4217
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18372
6/20/2010 10:52:34 AM
mbam-log-2010-06-20 (10-52-34).txt
Scan type: Quick scan
Objects scanned: 130081
Time elapsed: 12 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
First GMER log (what it says when I first start the program):
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-06-20 11:29:10
Windows 5.1.2600 Service Pack 3
Running: o3f303pi.exe; Driver: C:\DOCUME~1\David\LOCALS~1\Temp\uwtdyuog.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 86EA8EC5
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
Second GMER Log (too big to include here so I'm attaching) - this is what it does after I select the rootkit tab and hit scan.
I'm communicating via my work machine because the infected machine is now pretty useless as it is. Again, any assistance to get me pointed in the right direction is greatly appreciated.
Regards,
David Hester
Addendum ... I finally managed to get DDS to run. The log files are attached.
Second Addendum ... after much retrying, I have managed to get GMER to run to completion. The Log file is attached.
Symptoms:
svchost.exe shows repeated attempts to connect to hosts in the following networks:
61.61.20.135:443 (and other hosts in this network as well)
91.212.226.7:443 (and other hosts in this network as well)
213.163.89.104:80 (and other hosts in this network as well)
if Firefox or IE are running, they show repeated attempts to connect to hosts in this network: 213.163.89.104:80 (and other hosts in this network as well)
ZoneAlarm (installed after infection started) shows svchost as the process trying to connect; if FireFox or IE are running, they also try to connect to
ZoneAlarm sometimes gets turned off (?)
Outlook does not completely exit when I quit the program; the icon remains in the systray - this never happened before
I cannot reach update.microsoft.com; it appears that the virus is blocking access to this and other sites
For some weeks I have had a noticeable increase in phishing emails, and some of the emails are getting good ...
I experienced a credit card breach with the card that I use for online transactions - fortunately, the bank caught it and the card is now disabled.
very slow boot process
Firefox and IE take forever to initialize when started
inconsistent behavior - on one reboot Symantec (Norton Internet Security) failed to initialize and reported an error in startup; Firefox or IE close without warning; ZoneAlarm somehow exits without warning
Firefox hangs and a black script execution screen comes up; then error message saying that a script has failed on this page ...
Malwarebytes log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4217
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18372
6/20/2010 10:52:34 AM
mbam-log-2010-06-20 (10-52-34).txt
Scan type: Quick scan
Objects scanned: 130081
Time elapsed: 12 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
First GMER log (what it says when I first start the program):
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-06-20 11:29:10
Windows 5.1.2600 Service Pack 3
Running: o3f303pi.exe; Driver: C:\DOCUME~1\David\LOCALS~1\Temp\uwtdyuog.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 86EA8EC5
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
Second GMER Log (too big to include here so I'm attaching) - this is what it does after I select the rootkit tab and hit scan.
I'm communicating via my work machine because the infected machine is now pretty useless as it is. Again, any assistance to get me pointed in the right direction is greatly appreciated.
Regards,
David Hester
Addendum ... I finally managed to get DDS to run. The log files are attached.
Second Addendum ... after much retrying, I have managed to get GMER to run to completion. The Log file is attached.