Solved Virus on my laptop same as Longsuffering I think.

[NeedHelpP]

Hi Im new at this forum so If I should have posted my issue under user Longsufferings thread Im sry, seems like we have the same problems.

A couple of days ago I got something on my laptop that I cant seem to be able to remove by myself. Everytime Im using google my Eset 32nod gives me a warning that they blocked an adress from ip number 213.163.89.106:80 and 213.163.89.105:80.

I made scans with Eset and with Malwarebytes and they found a couple of infections which I deleted/removed. But the problems still remain.

I fallowed the steps in the Virus/Malware removal instructions thread and I also added the first Malware log that I made before finding this forum.

So if you will be able to help me with this I would be very very grateful!

 

[Bobbye]

Amazing! There are actually 3 of you posting about this same IP!
The site you're asking about is:
inetnum: 213.163.89.0 - 213.163.89.127
netname: HSSN-NET
descr: High Secured Space Network Group
country: NL
Your host files have been hijacked by a site in Poland.
===================
Please print this out and follow exactly:

You will need to do a DNS Flush, then reset your router.
Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

Exit the Command prompt when finished and shut the system down.-

• 
  [1]. Shut down your computer, and any other computer connected to your router.
  [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
  [3]. Unplug the router. Wait sixty seconds.
  [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
  [5].With the router unplugged, start your computer. Run MBAM again.
  [6].Connect to the router again. The turn the router back on.
  [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
  [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.

==================
Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
============================
And although you also have the Eset security, I would like you to run this online scan:
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please leave both logs in your next reply.

I would like to mention that your abundance of poker programs and use of uTorrent will be sources of malware, onoing.

 

[NeedHelpP]

...

Thanks for looking into this bobbye Im very grateful.

Before I run combofix and eset online scan is there any easy way to convert the logs into English? My computer skill isn't the best, sry.

 

[Bobbye]

Just be sure to check 'English.' The topic are okay in another language, but I have to be able to make out the files and folders well enough to know it's they are legitimate or not. Do what you can- if I'm not sure, I may ask you to translate.

 

[NeedHelpP]

...

Hi again sry I didn't upload the files requsted ysterday, had some trouble to reconnect with the net after resetting my router.

It seems to be working better now, no warnings when I use google anyway however I run the Eset Nod32 online scan and it found 1 threat but in someway It didn't save a log file at my computer so run it again and there were no threats and this time I found the log for the scan.

This was the threat the first scan deleted:
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\afd.sys.vir Win32/Patched.EQ trojan deleted - quarantined

I translated most of the words in the combofix log to English.

So would appreciate if you can have a look at it.

Best Rgs...

 

[Bobbye]

Thanks for the translation! Combofix found the file and replaced it. 'Qoobox' is the name of the folder where Combofix puts the quarantined/deleted files so it shouldn't be a problem in the system now and will be dropped when Combofix is uninstalled.

When you reset the router, did you secure it with a password?
There is atill malware on the system:

Please download SystemLook from one of the links below and save it to your Desktop:

• Download Mirror #1
• Download Mirror #2

• Double-click SystemLook.exe to run it.
• A blank Windows will open with the title "SystemLook v1.0-by Jpshortstuff".
• Copy the content of the following codebox into the main textfield :
  

        :filefind
        iastor.*

• Please Confirm everything is copied and Pasted as I have provided above
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan, Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
=============================
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\system32\youja_.dll

Folder::
Registry::
RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•6~*]
Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Are you using a running a Marvell Yukon gigabit ethernet adapter?

Please leave both logs in next reply.

Have you noticed any difference since you did the DNS flush and router reset?

 

[NeedHelpP]

...

Hi again Bobbye,

Pretty sure we secure it with a password.
Not sure tho what adapter we have but can look into that.

The attack blocks notification from Eset has stopped when I use google but its not working as it should anyway for example if I search for something like a name or anything I dont get the regular hits that Ive gotten before, hope you understand what I mean?

When I run Combofix the screen went blue after awhile with some error message so run it again in safe mode, but didnt succed to disable the antivirus program there, so made the scan with it hope thats ok?

Here are the logs you requested.

 

[Bobbye]

You have processes loading for both AVG and Eset Nod32. Multiple antivirus programs can actually make you more vulnerable and slow the system down. Regarding the following entries:
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated)
FW: AVG Firewall *disabled*

This is from the top of the Combofix report. You need to get this down to one antivirus program and one firewall. Do that now please and then let me know which you are keeping. I will wait to write the script for you until I know this.

It 'looks like' you may have had AVG installed at one time but are now using Eset Nod32. If this is correct, run this to remove AVG:
AVG Removal: Note: You may have to reinstall AVG to uninstall it fully.

Reboot the computer when through.

 

[NeedHelpP]

,,,

Hi,

I had AVG erlier but changed to Eset when I got the "virus" But I removed Eset so currently running AVG.

Best Rgs

 

[Bobbye]

As you can see, the Eset program was not removed.

Please make sure all of your security programs are disabled before running the following. You now have Combofix on your desktop so you can go offline and safely handle the code.

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\program\ESET\ESET NOD32 Antivirus\ekrn.exe
Folder::

RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•6~*]

FCopy::
C:\WINDOWS\DriverPacks\M\I3\IASTOR.sys | C:\WINDOWS\system32\drivers\iastor.sys

DDS::
uURLSearchHooks: H - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
Notify: youja_ - youja_.dll
Hosts: 89.149.249.198 www.google.com
Hosts: 89.149.249.198 www.google.de
Hosts: 89.149.249.198 www.google.fr
Hosts: 89.149.249.198 www.google.co.uk
Hosts: 89.149.249.198 www.google.com.br
Hosts: 89.149.249.198 www.google.it
Hosts: 89.149.249.198 www.google.es
Hosts: 89.149.249.198 www.google.co.jp
Hosts: 89.149.249.198 www.google.com.mx
Hosts: 89.149.249.198 www.google.ca
Hosts: 89.149.249.198 www.google.com.au
Hosts: 89.149.249.198 www.google.nl
Hosts: 89.149.249.198 www.google.co.za
Hosts: 89.149.249.198 www.google.be
Hosts: 89.149.249.198 www.google.gr
Hosts: 89.149.249.198 www.google.at
Hosts: 89.149.249.198 www.google.se
Hosts: 89.149.249.198 www.google.ch
Hosts: 89.149.249.198 www.google.pt
Hosts: 89.149.249.198 www.google.dk
Hosts: 89.149.249.198 www.google.fi
Hosts: 89.149.249.198 www.google.ie
Hosts: 89.149.249.198 www.google.no
Hosts: 89.149.249.198 www.google.ru
Hosts: 89.149.249.198 www.google.ua
Hosts: 89.149.249.198 www.google.pl
Hosts: 89.149.249.198 www.google.ro
Hosts: 89.149.249.198 www.google.co.nz
Hosts: 89.149.249.198 www.google.in
Hosts: 89.149.249.198 www.google.th
Hosts: 89.149.249.198 www.google.tr
Hosts: 89.149.249.198 www.google.hu
Hosts: 89.149.249.198 www.google.cr
Hosts: 89.149.249.198 www.google.lv
Hosts: 89.149.249.198 www.google.lt
Hosts: 89.149.249.198 www.google.bg
Hosts: 89.149.249.198 www.google.be
Hosts: 89.149.249.198 www.google.vn
Hosts: 89.149.249.198 www.google.ve
Hosts: 89.149.249.198 www.google.sw
Hosts: 89.149.249.198 search.yahoo.com
Hosts: 89.149.249.198 us.search.yahoo.com

Driver::
ekrn
FCopy::
C:\WINDOWS\DriverPacks\M\I3\IASTOR.sys | C:\WINDOWS\system32\drivers\iastor.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Be sure to copy all the contents of the code box to drag into Combofix.

Are you running a Marvell Yukon gigabit ethernet adapter?

 

[NeedHelpP]

...

Hi again Bobbye, What I meant was that I removed Eset after your last post when you said I should choose one of the two antisoftware.

I do not run a Marvell Yukon gigabit ethernet adapter...

Here are the log file after I used the script in ComboFix, did that script work now that I dont run Eset antivirus software anymore?

Best Rgs

 

[Bobbye]

It looks good to me! The script just had one left-over entry for Eset. It was removed. The one locked Registry file I was concerned about is okay- it's actually a Microsoft file relating top language, so no problem. One more file needs to be removed and then I think we can close up shop!

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"yksvc"=-
Driver::
yksvc

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . You don't need to leave the log.
=====================
Please download this to replace the Host files:
MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
===============================
If the problems have been resolved, Remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

====================
Let me know if I can be of any more help.

 

[NeedHelpP]

...

Think is working as it should now! = )

I run Avg/Malwarebytes scan And it didnt find anything wrong and Google is back to normal so guess it´s safe now.

Im so grateful Bobbye Thank you very very much!

Best Rgs

 

[Bobbye]

You're welcome. Glad to help. Here are some tips for you:

Please follow these simple steps to keep your computer clean and secure:

1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
2.Stay current on updates:

• Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
5. Use an AntiVirus Software(only one)
See Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
Comodo or Zone Alarm
7.Consider these programs for Extra Security

• Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

I'm going to close this thread but let me now if you need help in the future.