Probably infected, please help

Inactive
By evantro
Jun 18, 2010
Topic Status:
Not open for further replies.
  1. Hello I would like some help,

    I am probably infected but I don't know by what and how to remove it.

    I have nod32 installed and appear all the time pop up telling me that it blocked url like a76956922.cn/.... or lk014a71gg1.cc/....
    with the following IP:
    213.163.89.105
    213.163.89.106
    78.47.248.112

    I can't access www.windowsupdate.com

    I tryed several tools but they don't find anything.

    I have followed the procedure and I can join several logs hoping that someone will be able to help me

    Thank's

    Eric

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Many people who have a firewall or a security program with 'blocking ability', assume that if a site is blocked, it's a bad thing. On the contrary, it is not.

    The IPs you gave are:
    IP 213.163.89.105
    netname: HSSN-NET
    descr: High Secured Space Network Group
    country: NL (the Netherlands)

    IP 78.47.248.112
    netname: SIARHEI-SHANDROKHA
    descr: Siarhei Shandrokha
    country: DE (Germany)

    If you have a bi-directional firewall- that is, a firewall that will block both incoming and outgoing, either of the above is either running a scan on the internet, looking for unprotected systems. This is considered 'normal internet traffic'. Thousands of these scans go on all the time.

    Or you have malware on the system that is 'calling home'- that is, attempting to transmit information from your computer to their site.

    On the other hand, if you are only using a firewall that 'listens' at incoming ports, like the Windows firewall, then it would only block incoming attempts to access.

    You do not tell; me what you are doing when you get the block so I can't evaluate it. As for not being able to get Windows updates, you do not tell me why. If it's a problem accessing the update site, that is happening frequently- with or without malware- and just needs repeated attempts.

    I'l check your logs now and see if it is malware.
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Eric, you do have a Rootkit malware infection. Please run the following:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please include these logs in your next reply.
    It will also help me if you'd describe what problems you're having besides the Windows Update.

    I hope you didn't mind my FYI about 'blocking'. There is so much misunderstanding as to what this means.
  4. evantro

    evantro Newcomer, in training Topic Starter Posts: 16

    here are the log (i didn't find the Eset log).

    For a while Internet explorer didn't worked with a strange error message. Now it seems ok.

    Thank's a lot

    Eric

    Attached Files:

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please rescan with Eset and leave log in next reply.
    The description of the problem you are giving does not give me enough information to work with.
    ------------------------------------------------
    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\drivers\is3srv.sys
    c:\windows\system32\DRIVERS\szkg.sys 
    c:\windows\system32\drivers\szkgfs.sys 
    Folder::
    c:\temp\Traces
    C:\Temp
    Registry::
    
    Driver::
    Peauvcsf
    is3srv
    szkg5
    szkgfs
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Choose v2.0.4
    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Why are there No Restore Points on system?
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Closing thread due to inactivity. If you still require help, please send a PM to your helper and request that the thread be reopened.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.