also @ TechSpot: Exploit allows command prompt to launch at Windows 7 login screen

TechSpot

[Solved] MSN virus?

Discussion in 'Virus and Malware Removal' started by dayslayer8, Jul 31, 2010.

Thread Status:
Not open for further replies.
Page 1 of 2

  1. dayslayer8 Newcomer, in training

    Well, like the other topic, i have received the virus from msn. For some reason DDS just closes when it starts and i have disabled my antivirus. SO I am just going to upload the 2 logs, Malwarebtye and GMER, for now.
    Oh and for GMER i had to disable devices.
    Thnx.

    And another thing was that I had one or a few virus prior to the msn virus as the computers from school gives a virus whenever I plug a USB in it.

    Apparently DDS is a screensaver file, just letting you know.

    Attached Files:

    dayslayer8, Jul 31, 2010
    #1

  2. Bobbye Helper on the Fringe

    Firstly, you do not have to disable the antivirus to run these preliminary logs, so please enable it again.

    Second, you have a Backdoor.IRCBot. This is a type of Trojan that it also often referred to as a 'bot' that opens a back door that allows a remote attacker to take control of the compromised computer.It connects to Internet Relay Chat (IRC) channels to launch distributed denial of service (DDoS) attacks.

    DDS is not a screensaver file- it is a FLEXIT Singleshot Survey Raw Data file. Please observe the following and run DDS again, leaving the log in your next reply:
    You may have to disable any script protection running if the scan fails to run.
    Bobbye, Jul 31, 2010
    #2

  3. dayslayer8 Newcomer, in training

    Sorry, i don't know what to do to "disable any script protection running ". I am pretty sure i don't have anything blocking the programs; mabye i do but i really don't know.
    I have right clicked it and went into propeties, and clicked the unblock thing. DDS still does not work.
    When i open DDS, the cmd window opens up and then quickly closes. I am not sure if that's what it is supposed to do but i've waitied for an hour and still no logs.
    Mabye i can use something alternate?
    Thnx
    dayslayer8, Jul 31, 2010
    #3

  4. dayslayer8 Newcomer, in training

    Oh and just incase if you need this.
    Some of my symptoms are:
    Internet Explorer cannot run or be started. I have to use Firefox instead.
    Windows Media Player cannot be run or be started.
    No more sound output. If i try to watch a video either on my computer or online, there will be no sound. I am pretty sure my speakers are connected correctly with volume turned up.
    Internet Connection icon in system tray shows that there are no connection, even though i am connected to the internet.
    Secruity Centre keeps giving me a security pop up message from system tray, every second.
    And also DDS doesn't work, mabye it's blocked by the virus?
    dayslayer8, Aug 1, 2010
    #4

  5. Bobbye Helper on the Fringe

    Please see the friendly infomation on this site for script blocker:
    http://staffwww.fullcoll.edu/jchadwick/popup_blocker.htm

    Then try DDS again.
    Follow by running these:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    Re-enable your Antivirus software.
    ==============================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ============================
    About this:
    Someone needs to advise the school IT people that the USB drives are infected and need to be disinfected.

    Why are you using a USB drive?
    Bobbye, Aug 1, 2010
    #5

  6. dayslayer8 Newcomer, in training

    Hi Thanks for the website. Unfortunately, it did not help me. Just like before, DDS will open up for just a fraction of a second then quickly close itself. Am I really hopeless now?
    As for the USB thing, i use it to transfer my projects and homework.
    Should i skip the DDS and continue with Combofix or is DDS a must?
    dayslayer8, Aug 2, 2010
    #6

  7. Bobbye Helper on the Fringe

    Do you have No Script on Firefox? Open Firefox> Tools> Add-ons> Look for 'No Script'> if it's listed, disable it and restart Firefox. Then run DDS.

    If you still can't do it, continue on with Combofix and the Eset scan.
    Bobbye, Aug 3, 2010
    #7

  8. dayslayer8 Newcomer, in training

    Hi! I checked firefox and there was no "No Script" addons. HOWEVER, during the ESET scan, DDS automatically started and it actually worked! I don't know why it just started, i never even clicked on it or anything, but it scanned and generated the 2 logs, which i will attach to this post with my other logs. As my ESET thing continues to scan, DDS started automatically again and generated the two logs for the second time. This is strange. I will attach my ComboFix log rather than pasting it as it is too long.

    Thank you again for your continuous, persistant help.

    Edit: errr, DDS has just automatically opened up and scanned again, is this going to be a problem?

    Attached Files:

    dayslayer8, Aug 4, 2010
    #8

  9. Broni Malware Annihilator

    Message from Bobbye:

    ============================================================================

    I don't see any AV program running. What happened to NOD32?

    =======================================================================

    Please, uninstall AskBarDis as it's considered as an adware.

    =====================================================================

    Combofix looks fine.
    What are the current issues?

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ======================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
    Broni, Aug 5, 2010
    #9

  10. dayslayer8 Newcomer, in training

    Hi, thanks for taking over. I think I disabled my NOD32 during one of the scan but forgot to re-enable. As for AskBarDis, i don't know how to uninstall it. It is not in 'Program and Features' and when i searched for it, the only results were the two DDS logs; also it is not in my firefox addons.
    My current problems are the same as before. I can not open/start internet explorer and windows media center. There are no more sound output anymore. Internet connection icon in system tray shows no connection with a red cross thing when clearly i do have internet. Security centre popup messages pops up every second saying i've disablled UAC which is true though.
    Also before, windows automatic update would be disabled everytime i start up the computer. However, it has stopped for some reason.
    Sorry i cannot post the 2 logs as they are too long, i will attach them instead.
    Thanks.

    Attached Files:

    dayslayer8, Aug 6, 2010
    #10

  11. Broni Malware Annihilator

    As for AskBarDis we'll remove leftovers manually in a moment.

    See here: http://www.vistax64.com/tutorials/163857-security-center-specific-alert-notification.html how to disable that alert.

    What does happen, when you try. Do you try to open them from desktop shortcut>
    How about going Start>All Programs....?

    Any sound? Internet, Windows sounds, music CD?

    Are you posting from very same computer, using another browser, or....?

    =========================================================================

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    =======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\zihao\Desktop\*.tmp files -> C:\Users\zihao\Desktop\*.tmp -> ]
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:586F1F7F
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:341E39B2


:Services

:Reg

:Files
C:\Program Files\AskBarDis


:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
    Broni, Aug 6, 2010
    #11

  12. dayslayer8 Newcomer, in training

    Hi, thanx for the link and it fixed the security centre message problem.

    Still, i cannot start internet explorer and windows media player (sorry its player; media center is fine); shortcut, start-menu or in the program's folder, it just doesn't start when i click on it.

    Also, there are absolutely no sound whatso ever, online video, music, CD or even just programs' sounds, no sound output at all.

    Yes i am using the same computer. The icon shows i have no internet connection and is not connected to the internet, while i am here using firefox to make a post-reply.

    As for JAVA update, the installer kept giving me an error message.
    'Error 1719. The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance'

    here is my OTL fix log: (I will attach the scan log)

    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{201f27d4-3704-41d6-89c1-aa35e39143ed}\ deleted successfully.
    C:\Program Files\AskBarDis\bar\bin\askBar.dll moved successfully.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{3041d03e-fd4b-44e0-b742-2d9b88305f98} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3041d03e-fd4b-44e0-b742-2d9b88305f98}\ deleted successfully.
    File C:\Program Files\AskBarDis\bar\bin\askBar.dll not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
    Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
    C:\Windows\Downloaded Program Files\erma.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
    C:\Windows\45235788142C44BE8A4DDDE9A84492E5.TMP\WiseCustomCalla.dll deleted successfully.
    C:\Windows\45235788142C44BE8A4DDDE9A84492E5.TMP folder deleted successfully.
    C:\Windows\msdownld.tmp folder deleted successfully.
    C:\Users\zihao\Desktop\~WRL0003.tmp deleted successfully.
    ADS C:\ProgramData\TEMP:586F1F7F deleted successfully.
    ADS C:\ProgramData\TEMP:341E39B2 deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Program Files\AskBarDis\bar\Settings folder moved successfully.
    C:\Program Files\AskBarDis\bar\bin folder moved successfully.
    C:\Program Files\AskBarDis\bar folder moved successfully.
    C:\Program Files\AskBarDis folder moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 41620 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Desktop
    ->Temp folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: user
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 283173944 bytes
    ->Java cache emptied: 73708168 bytes
    ->FireFox cache emptied: 89351040 bytes
    ->Flash cache emptied: 22672 bytes

    User: zihao
    ->Temp folder emptied: 960272 bytes
    ->Temporary Internet Files folder emptied: 732443 bytes
    ->Java cache emptied: 155784053 bytes
    ->FireFox cache emptied: 44754394 bytes
    ->Flash cache emptied: 61819 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 283885219 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 78977958 bytes

    Total Files Cleaned = 965.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Desktop

    User: Public

    User: user
    ->Flash cache emptied: 0 bytes

    User: zihao
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.9.1 log created on 08072010_101612

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...

    Attached Files:

    • OTL.Txt
      File size:
      111.1 KB
      Views:
      2
    dayslayer8, Aug 7, 2010
    #12

  13. Broni Malware Annihilator

    Open Windows Explorer.
    Navigate to C:\Program Files>Internet Explorer and double click on iexplore.exe.
    Will IE start?

    Go Start>Control Panel>Device Manager
    Do you have any errors there?

    Regarding Java...
    Run JavaRa first to uninstall old Java versions.
    Then go my link to update Java, but make sure to download "offline" version and try to install it again by double clicking on downloaded file.
    Broni, Aug 7, 2010
    #13

  14. dayslayer8 Newcomer, in training

    Hi, unfortunately, iexplorer still does not start and there are no errors in device manager.
    Java installer still gives the same error even after uninstalling the old version first.
    dayslayer8, Aug 7, 2010
    #14

  15. Broni Malware Annihilator

    Uninstall IE8.
    Go Start>Control Panel>Programs & Features
    Click on "View installed updates" in left pane.
    Look for Windows Internet Explorer 8 and uninstall it.
    It'll revert itself to IE7.
    See, if IE7 will work.
    Broni, Aug 7, 2010
    #15

  16. dayslayer8 Newcomer, in training

    Hi, Unfortunately, windows internet explorer is not in program and features.
    I just discovered that in uninstall an update section in programs and features, all the items has disappeared.

    I've also checked in the Internet Explorer folder in Program Files and did not find an uninstaller
    dayslayer8, Aug 7, 2010
    #16

  17. Broni Malware Annihilator

    Broni, Aug 7, 2010
    #17

  18. dayslayer8 Newcomer, in training

    uninstalled IE8 and internet explorer still does not start.
    dayslayer8, Aug 8, 2010
    #18

  19. Broni Malware Annihilator

    Go Start>Run ("Start Search" in Vista/7), type in:
    sfc /scannow
    Click OK (hold CTRL, and SHIFT, hit Enter in Vista/7).
    Have Windows CD/DVD handy (with Vista/7, most likely, you won't need it).
    If System File Checker (sfc) will find any errors, it may ask you for the CD/DVD (rarely in Vista/7 case).
    Broni, Aug 8, 2010
    #19

  20. dayslayer8 Newcomer, in training

    Hi, i've done sfc /scannow. The cmd window closed itself after scan and i didn't pay attention and did not see any messages. I guess its all good? However, i still have the same problems as before. Does this mean that the virus is still on the computer?
    dayslayer8, Aug 9, 2010
    #20
Page 1 of 2
Thread Status:
Not open for further replies.