TechSpot

Help! Possible virus, all logs attached

By bleeg
May 9, 2007
  1. Hello-

    I'm a newbie; found you folks vie googling when things went south. It's obvious you know your stuff... so:

    I followed all of Howard's instructions at http://www.techspot.com/vb/topic58138.html. Logs are attached.

    Any help would be appreciated- I'm not even sure what went wrong, and am not sure now if I have a keylogger or something, particularly because of the mystery FAD.sys that was found but does not scan as a virus. Other files often associated w/FAD.sys I cannot find on my system... so I don't know what to think.

    Thanks for any help!

    Neil

    Details:
    I run symantec firewall & antivirus, always updated, always have windows updates, etc- pretty paranoid. But:

    No problems before I tried this update. But I had been surfing/working/email etc for hours before trying to update, so it's possible this is not just a microsoft glitch.

    After trying Microsoft update Tue, the update failed- while searching for my updates, the system would freeze. Tried again. Failed again. Each time, due to some svchost.exe process eating up 100% processor time. Deleting that process restored things to working, but it got worse- couldn't do the update, then it started just happening when I rebooted, even if I just used Firefox. Deleting the svchost process that was eating the 100% always solved things.

    When svchost was going nuts, it read (using command/tasklist /svc):
    svchost.exe process #200 “services” are” Audiosrv, Browser, Cryptsvc, Dhcp, EventSystem, helpsvc, lanmanserver, lanmanworkstation, Netman, NLA, RasMan, Schedule, seclogon, SENS, SharedAccess, ShellHWDetection, srservice, TapiSrv, Themes, TrkWks, W32Time, winmgmt, wscsvc, wuauserv.

    After killing that process, it would restart (without using too much bandwidth); then it would read:
    svchost.exe proc #2204 “services” are “EventSystem, helpsvc, RasMan, Schedule, SENS, TapiSrv, Themes, winmgmt

    Did a Windows Defender quick scan. Nothing found.

    Ran Microsoft's security analyzer/online thing, which found no bad files but did fix 347 registry entries... of course, I've never looked at my registry, and the computer's 2 years old with many things installed & uninstalled, so I don't know if that's unusual.

    After that, I was able to do Office Update (nb: this was hours later; maybe microsoft got things working by then?). Then Microsoft Update for the XP part (I have XP SP2). Then a virus scan, which showed nothing (Symantec or Windows Defender). Svchost would use up 100%, then drop back down (it did not before- once at 100% it stayed there).

    Being paranoid, I stared searching the web for svchost issues, found a thread here, and it led me to follow all the instructions.

    Everything was basically clean, as far as I can tell, except that ComboFix found (& quarantined) FAD.sys in c:/windows/system32/drivers. When I scan the quarantined file w/Symantec, though, it does not read as a virus or anything.

    All logs attached (well, the five most interesting; let me know if you need the others & I'll post them. Only allowed 5 at a time). Not sure what to make of this, and I'd appreciate it if someone could take a look and tell me if I'm compromised. The file "whatIdid.txt" lists everything int he order i did it, & distinguished the hijckthis (before) and (after) files.

    Many thanks!
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    fad.sys is definitely nasty. See HERE for more info.

    Please visit this link http://virusscan.jotti.org/
    * Click the Browse... button
    * Navigate to the following file C:\Program Files\836941.exe
    * Click Open
    * Please let me know the results.

    Your HJT log is clean.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh Combofix log.

    6. Also, please attach an AVG Antispyware log as per the instructions in step13 of this thread HERE.

    Regards Howard :wave: :wave:

    This thread is for the use of bleeg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. bleeg

    bleeg TS Rookie Topic Starter

    Thanks for the help; files attached

    Hello, Howard-

    I followed your new directions; details are:

    Jotti check: no file I can append, but it said 836941.exe was "OK" - noting found by any of the scan programs.

    Avenger:
    1st time I ran it: got a RTVScan error (XXXXX memory could not be read YYYY") error when the computer was shutting down. Avenger clearly did not run right- no text in the log after reboot, lots of errors in it's script along the lines of "avenger.txt cannot be found" and other errors. I ran it again:

    2nd time: Renamed "avengerscript" to just "avenger" (it was on desktop, as was avenger.exe) Shutdown went OK. Reboot fine, got a log. Log files square with the script you sent; log says all removed successfully, zip file does contain files. However, script in window during reboot again showed a lot of errors, particularly a lot of "access denied blah blah" lines. Scorlled to fast for me to write it down.

    ComboFix ran fine; log does seem to show a listing, but I may be interpreting it wrong. Attached so you can see.

    AVG Antispyware: log attached. this log is from earlier this AM- program takes ~ 2.5 hrs to run on my system. Let me know if you need me to run it again, post-Avenger. Program was run as per the step 13 instructions only 3 or 4 hours ago (Symantec & SS&D ran after that, if I remember).

    Any further help again appreciated; I'm a bit unsure whether the Avenger errors are standard or indicate I need to run it again in Safe Mode or something.

    Best (& thanks!)-

    Neil
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Everything looks good.

    Are you still having the same problems? If so, I suggest you take a look at this thread HERE.

    Regards Howard :)

    This thread is for the use of bleeg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. bleeg

    bleeg TS Rookie Topic Starter

    Hey, Howard- many, many thanks

    I'm glad things look OK; sounds like I definitely had a virus/trojan? Time to change all my passwords, etc.

    If the issue recurrs, I'll probably go the nuclear route & do a clean install. After all this, it doesn't seem like it would take that much longer, and it is guaranteed. I'm dubious about some process hogging time, just because it wasn't a problem 24 hrs ago, and I didn't install anything between when it was working & when the problem arose. Plus I explored the task manager route before starting the virus hunt.

    You help has been great; I don't knw anyone with this level of knowledge about things. A donation on its way to Techspot/freeware providers as soon as I'm confident enough to send money via internet again (give it a couple of day, unless I do a clean install, then sooner).

    Best to you-

    Neil
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No problem mate. A donation isn`t necessary as this is a commercial website paid for through advertising, but thanks for your kind offer anyway.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of bleeg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...