Solved Bad Virus(s) - multiple symptoms

Status
Not open for further replies.
D

dhester2

Posts: 7   +0
Greetings; I'm having serious problems with a virus on my machine, and I'm hoping someone can provide assistance or guidance to help me clean it out. I tried to do the 8 steps indicated here, but have had a couple of problems. I can't access update.microsoft.com, and the DDS seems to hang and I'm not sure what is blocking it. GMER runs, but it gives one set of messages when it comes up, and then when I follow the instructions it starts a complete system scan ... after 1.5 days it still wasn't done scanning files, so I'm not sure if I did something wrong; I'm including the output it gave when I started it, and the output it had generated by the time I terminated it. Clearly Norton Internet Security with it's own firewall and AV didn't do me much good.

Symptoms:
svchost.exe shows repeated attempts to connect to hosts in the following networks:
61.61.20.135:443 (and other hosts in this network as well)
91.212.226.7:443 (and other hosts in this network as well)
213.163.89.104:80 (and other hosts in this network as well)
if Firefox or IE are running, they show repeated attempts to connect to hosts in this network: 213.163.89.104:80 (and other hosts in this network as well)
ZoneAlarm (installed after infection started) shows svchost as the process trying to connect; if FireFox or IE are running, they also try to connect to
ZoneAlarm sometimes gets turned off (?)
Outlook does not completely exit when I quit the program; the icon remains in the systray - this never happened before
I cannot reach update.microsoft.com; it appears that the virus is blocking access to this and other sites
For some weeks I have had a noticeable increase in phishing emails, and some of the emails are getting good ...
I experienced a credit card breach with the card that I use for online transactions - fortunately, the bank caught it and the card is now disabled.
very slow boot process
Firefox and IE take forever to initialize when started
inconsistent behavior - on one reboot Symantec (Norton Internet Security) failed to initialize and reported an error in startup; Firefox or IE close without warning; ZoneAlarm somehow exits without warning
Firefox hangs and a black script execution screen comes up; then error message saying that a script has failed on this page ...

Malwarebytes log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4217

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18372

6/20/2010 10:52:34 AM
mbam-log-2010-06-20 (10-52-34).txt

Scan type: Quick scan
Objects scanned: 130081
Time elapsed: 12 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

First GMER log (what it says when I first start the program):

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-06-20 11:29:10
Windows 5.1.2600 Service Pack 3
Running: o3f303pi.exe; Driver: C:\DOCUME~1\David\LOCALS~1\Temp\uwtdyuog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86EA8EC5

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Second GMER Log (too big to include here so I'm attaching) - this is what it does after I select the rootkit tab and hit scan.

I'm communicating via my work machine because the infected machine is now pretty useless as it is. Again, any assistance to get me pointed in the right direction is greatly appreciated.

Regards,
David Hester

Addendum ... I finally managed to get DDS to run. The log files are attached.
Second Addendum ... after much retrying, I have managed to get GMER to run to completion. The Log file is attached.
 

Attachments

  • Gmer_2.log
    154.4 KB · Views: 0
  • Attach.txt
    21.8 KB · Views: 0
  • DDS.txt
    21.1 KB · Views: 2
  • GMER LOG COMPLETE.log
    172 KB · Views: 1
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
ComboFix Log

Thanks, I have now run ComboFix per the instructions, and the log is attached. Regards, David
 

Attachments

  • ComboFix.txt
    20 KB · Views: 2
Are you, by any chance, running ZoneAlarm firewall in addition to Norton's firewall?

How are computer's issues at the moment?

Please, delete your GMER file, download fresh one and post new log.
 
New GMER Log

I am running Norton Internet Security with firewall; I am also running ZoneAlarm. I installed ZoneAlarm at the outset of the virus problem because I couldn't figure out how to block specific IP's using the Norton Product. Please advise if I should disable ZoneAlarm now.

I am not seeing the constant traffic or errors in ZoneAlarm, and I am now able to access the Microsoft update site, however shutdown processes take forever and sometimes hang, the boot process is still very slow, and I have sluggish response in general on the browser and when running more than one program. Other issues follow:

Within the Techspot forum, I try to 'manage attachments' via Firefox, and the popup window never appears even though not blocked, or even if I hold control while clicking.
got security warning on startup that a program was attempting to modify ctfmon.exe
legacy apps that require Windows 95 compatibility mode don't run and hang the machine when run
MS Outlook process remains active and icon stays in systray after exiting program

The new GMER Log is attached.

Thanks for your assistance,
David Hester

Additional Information: I just started Outlook and got a message from Norton Internet Security that it had detected Backdoor.Tidserv!inf with a statement that it requires manual removal. I clicked on the OK button for more information and the window went away. I went to the log and tried to find more information, and it shows that it detected the virus, and it says that it is not safe to remove it. I'm not sure I understand what that means ...
 

Attachments

  • 06232010_GMER.log
    166.5 KB · Views: 4
Yes, please uninstall ZoneAlarm. Running two firewalls is a bad idea.

As for other issues - we're not done yet, I just wanted to know about your current computer status.

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

===================================================================

Note: If you have a previous version of TDSSKiller downloaded please delete it now and download a fresh copy using the links provided below

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

===================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
TDSSKiller and OTL Logs

Good Evening, I have uninstalled ZoneAlarm, and I managed to get my legacy apps running again ... it seems like the properties for emulation were reset at some point during this process, but they're OK now. After following your instructions, I tried cutting and pasting and the logs and they are too big so I'm attaching them below.

Thanks again for your assistance.
Regards,
David Hester
 

Attachments

  • TDSSKiller.txt
    46.9 KB · Views: 1
  • OTL.Txt
    100.6 KB · Views: 1
  • Extras.Txt
    36 KB · Views: 1
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
DRV - [2008/06/27 00:08:40 | 000,207,656 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2008/06/27 00:08:40 | 000,079,240 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2008/06/27 00:08:40 | 000,040,488 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2008/06/27 00:08:40 | 000,035,240 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2008/06/19 23:41:38 | 000,034,152 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll File not found
O4 - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe File not found
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
@Alternate Data Stream - 235 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FEF1A08C
@Alternate Data Stream - 220 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:37499A4A
@Alternate Data Stream - 157 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:24975D5E
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[emptyflash]
[resethosts]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
 
Fix Applied, new Quick Scan

Good Evening, I hope I'm not being prematurely optimistic, but the machine seems to be running faster than it has in a very long time. I haven't tested anything else yet but there is an apparent speed improvement if nothing else.

Attached are the results of the OTL Fix, and also the new OTL Quick Scan.

Thanks,
David Hester
 

Attachments

  • 06232010_221405_OTLResults.txt
    12.4 KB · Views: 3
  • NewOTLQuickScan.txt
    94 KB · Views: 1
Very good :)

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

  • Spyware, Adware, Dialers, and other potentially dangerous programs
    [*] Archives
    [*] Mail databases
6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
 
Kaspersky Done ...

Good Morning,

I ran TFC, and then did the Kaspersky scan as instructed. It ran for almost 8 hours and scanned nearly 200,000 files on the machine and came up completely clean. I went into the view report screen, and it came up blank ... I tried to do a 'save as' and after pressing the button, it just went gray. I'm hoping this is good news - I would have thought that it would say how many files were scanned or something.

Please let me know if I should run it again, or if that's the way it normally works. Also, what my next step should be.

Thanks for your assistance,
Regards,
David Hester
 
OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

======================================================================


Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.
 
Many Thanks!

Good Afternoon Broni,

I have completed the steps below and hopefully this is the end of it. A couple of things to mention about the system. It seems to have a fairly long lag when booting or rebooting at the point where Norton Internet Security is loading, and before the network icon appears in the systray. It could be Windows I guess, but it does seem like a rather long delay.

Also, I played around with Outlook not exiting properly, and it turned out to be rather odd. I tried turning off mail scanning in Norton with inconsistent results as far as Outlook exiting. I then went into the Add-ins for Outlook, and disabled all of the add-ins one at a time. When I finally disabled the Add-in for Norton Internet Security, Outlook generated an error related to an Add-in that was not listed in the Add-in names, and closed itself. The message was too quick for me to write down the name of the add-in but it was not anything to do with Norton or anything that I'd seen previously. I then restarted Outlook, re-enabled the Norton Internet Security Add-in, and Outlook is now working properly and exits as it should. Is it possible that there is some kind of virus that targets just Outlook and not the underlying OS? Just a thought, maybe it was a quirk, but it didn't look like it.

I want to thank you for your time and assistance through this problem. If I can make a donation towards coffee (or whatever) via Paypal, please let me know ... the service provided is worth far more than the junk programs being sold by the thousands that supposedly 'fix' your PC when you get an infection!

Regards,
David Hester

[email address removed for security reasons - Broni]
 
Your "Thank you" is a very solid "payment", so it'll do.

I'd like to advice you on running low of your hard drive free space:
Drive C: | 111.78 Gb Total Space | 11.18 Gb Free Space | 10.00% Space Free
Click to expand...

Windows prefers to run on at least 15% of a free space.

Then, Norton is known for slowing computers down. My suggestion - when your subscription expires, switch to something lighter :)

Good luck and stay safe :)
 
Status
Not open for further replies.

Similar threads

D
New LogoFAIL exploit leaves Windows and Linux users vulnerable to remote attacks
Replies
1
Views
285
Gezzer
G
D
Mini PCs sold on Amazon contained factory-installed spyware
Replies
16
Views
403
Fastturtle
F
midian182
Google's Find My Device will use billions of Android devices to pinpoint lost items
Replies
3
Views
487
p51d007
p51d007

Latest posts

Back