TechSpot

I have the 213.163.89.105.80 & 213.163.89.106.80 virus - please help!

By LongSuffering
May 4, 2010
  1. Hi,

    Having spent the last 48 hours pretty much solidly trying to rid myself of the scourge that is AntiSpyware Soft and the million other associated programmes, I am requesting your expert help!

    Basically I had that virus, and every time I ran any of the Malware/Spybot etc scanners in safe mode they would find tons of 'new' viruses.

    Concurrently, I have this 213.163.89.105.80 or 213.163.89.106.80 'Site was blocked' message every time I do a Google search. This comes up in ESET NOD.

    If someone could help me navigate through the minefield that is removing this virus I would be *so* grateful.

    Thanks so much

    PS I am on Windows XP
     
  2. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Coincidentally, there are 2 of you asking about this same site now:
    The site you're asking about is:
    inetnum: 213.163.89.0 - 213.163.89.127
    netname: HSSN-NET
    descr: High Secured Space Network Group
    country: NL

    But as mentioned, you will need to follow the steps in the link you were given. I'll review the logs. You can follow the other thread along if you want: http://www.techspot.com/vb/topic146711.html

    The malware help will be specific for each of you, although I may ask you both to run some of the same programs.

    Please do not run any other cleaning programs or scans unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  4. LongSuffering

    LongSuffering TS Rookie Topic Starter

    Am on it ..

    Thanks guys,

    Just checking in to let you know I'm going through the 8 steps now and will be posting all the logs and details once I'm done.

    I'll follow the other thread too . . it will be nice to have some hope that I can remove this nasty thing.

    Back in a sec
     
  5. LongSuffering

    LongSuffering TS Rookie Topic Starter

    All done

    Here's how I got on:

    Step 1:
    * Full system scan using ESET NOD AV – log saved

    Step 2:
    * TFC – downloaded, run and computer restarted

    Step 3:
    * Updates installed from Windows notification icon (Yellow shield with black exclamation mark). The Windows update website fails to load in both normal and safe mode and from the Control Panel for some reason.

    * Uninstalled Java, reinstalled with current version from: www.java.com/

    * Uninstalled existing Adobe Reader, updated with current version from: http://get.adobe.com/uk/reader/than...m&a=Air_Installer&d=McAfee_Security_Scan_Plus

    Step 4:
    * Malware updated, Quick Scan run – no malicious items found (previously there have been in Safe Mode & Networking). Log saved.

    Step 5:
    * Downloaded GMER, scanned no problems. Took ages.

    Step 6:
    * I don’t have any specific software against scripts – I don’t even know what they are – and couldn’t see anything about this in ESET so presume this is ok.

    Step 7 & 8:
    * Complete.

    Thanks
     

    Attached Files:

  6. LongSuffering

    LongSuffering TS Rookie Topic Starter

    ESET SCAN for step 1 attached
     

    Attached Files:

  7. LongSuffering

    LongSuffering TS Rookie Topic Starter

    Is it worth trying any of the YouTUBE tutorial for this rootkit? Anyone know of any legitimate software?
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Patience is what it's worth! If you start gathering programs you think might work, you will further harm the system.

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    =====================
    After you get Combofix installed, run the following:
    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    
    Driver::
    
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
     
  9. LongSuffering

    LongSuffering TS Rookie Topic Starter

    First Combofix log as per part 1

    Ok, here is the first log for part 1

    Second to follow . . .
     

    Attached Files:

  10. LongSuffering

    LongSuffering TS Rookie Topic Starter

    Combofix part 2 after CFScript

    Part 2,

    My computer ran Combofix then blue-screened and rebooted. Perhaps I need to do this step again?

    :wave:
     

    Attached Files:

  11. LongSuffering

    LongSuffering TS Rookie Topic Starter

    Combofix part 2 attempt 2

    Version with no blue screen this time - after CFcript.txt

    UPdate:
    After going back into Google and searching for random things I notice the error message is not there anymore, from ESET (well, so far!). So I looked at the ESET log and found the following info:

    05/05/2010 20:57:16 Real-time file system protection file C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ohci1394.sys.vir Win32/Patched.EQ trojan unable to clean NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\ComboFix\PEV.cfxxe.
    05/05/2010 20:57:15 Real-time file system protection file C:\DOCUME~1\GERALD~1\LOCALS~1\Temp\Av-test.txt Eicar test file cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\ComboFix\CF19571.cfxxe.
    05/05/2010 20:57:12 Real-time file system protection file C:\QooBox\Quarantine\C\WINDOWS\system32\Drivers\ohci1394.sys.vir Win32/Patched.EQ trojan unable to clean NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\ComboFix\CF19571.cfxxe.
    05/05/2010 20:57:12 Real-time file system protection file C:\QOOBOX\32788R22FWJFW\ohci1394.sys Win32/Patched.EQ trojan unable to clean NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\fc.exe.
    05/05/2010 20:57:11 Real-time file system protection file C:\QooBox\32788R22FWJFW\ohci1394.sys Win32/Patched.EQ trojan unable to clean NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\ComboFix\PEV.cfxxe.
    04/05/2010 13:05:34 HTTP filter archive http://www1.holdonsafety59-p.xorg.p...ra26HodeYbmFfa2Rxm2GZY2WMkMahqnNdqZ/JnptsZA== HTML/TrojanDownloader.FraudLoad.NAC trojan connection terminated SAMSUNG\Geraldine Threat was detected upon access to web by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
    01/05/2010 15:37:28 Real-time file system protection file C:\WINDOWS\TEMP\00005562.sys a variant of Win32/Rootkit.Kryptik.BK trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\system32\spoolsv.exe.
    01/05/2010 15:32:06 HTTP filter file http://hypoload.in/gotnewupdate.exe a variant of Win32/Kryptik.DZL trojan connection terminated - quarantined SAMSUNG\Geraldine Threat was detected upon access to web by the application: C:\WINDOWS\explorer.exe.
    01/05/2010 15:30:51 Real-time file system protection file C:\WINDOWS\system32\net.net a variant of Win32/TrojanClicker.Punad.AA trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\DOCUME~1\GERALD~1\LOCALS~1\Temp\xnwaomrsec.tmp.
    01/05/2010 15:30:51 Real-time file system protection file C:\DOCUME~1\GERALD~1\LOCALS~1\Temp\xnwaomrsec.tmp a variant of Win32/TrojanClicker.Punad.AA trojan cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\system32\mshta.exe.
    01/05/2010 15:30:50 Real-time file system protection file C:\WINDOWS\system32\net.net a variant of Win32/TrojanClicker.Punad.AA trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\DOCUME~1\GERALD~1\LOCALS~1\Temp\xnwaomrsec.tmp.
     

    Attached Files:

  12. LongSuffering

    LongSuffering TS Rookie Topic Starter

    Hi,

    Is this stuff ok in my ESET? I still keep getting random internet attacks from this Qoobox whatever it is file from the internet?

    Thanks
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Qoobox is not an attack or malware. It is the name of the 'folder' where Combofix send the quarantines and deletes. Once in the Qoobox, it is not active on the system. All of this will be removed when I have you uninstall Combofix.

    Regarding your Post #11- I can't read that. I would appreciate it if you would do the Eset online scan as I requested, then post that entire log as it's given.

    I notice you are not disabling the security when you run Combofix as instructed. In order to get the most reliable scan, you are instructed as follows:
    You do not need to keep running Combofix unless I instruct you to or when I write script for it.
    ===================================
    Reminder: disable all of the security before running this. The program is already on the desktop- go offline and run it:
    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    
    Folder::
    
    DDS::
    dRun: [xsjprgkh] c:\documents and settings\geraldine\local settings\application data\tvkbgparv\kpcobfrtssd.exe
    BHO: 1 (0x1) - No File
    
    Registry::
    Driver::
    rkhdrv40
    
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ================================
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ===============================
    Uninstall the copy of HijackThis v1.9.9 on your system now and do the following:

    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    ==========================
    Logs to include in next reply:
    Combofix after running the script
    Eset online scan
    HijackThis

    Describe any malware problkems you are still having- if any.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...