Solved 213.163.89.105.80 and 213.163.89.106.80 virus, need help removing!

Status
Not open for further replies.

jarhaimn

Posts: 17   +0
So, I managed to get this virus while browsing on the internet. Whenever I search on google my antivirus (ESET Nod32) keeps blocking attacks from the following ip-adresses:

213.163.89.105.80
213.163.89.106.80

and

78.47.248.116:80.

Also had some nasty trojans attacking, but ESET has quarantined them all. Sometimes when I browse random sites pops up, and I get warnings from my antivirus. I keep getting warning messages from the previously mentioned adresses, but only when googling something. Computer is kinda slow aswell, but other than that it's allright. I really want to get rid of this mess though!

I have done the seven steps, and I'm attaching the necessary files. Note that some of the logs are in swedish, but you should be fine understanding, as both the ESET Nod32 log and Malwarebytes Anti-Malware log is clean.

IMPORTANT NOTE: GMER kept crashing somewhere halfway through the search. Therefore, the log I am attaching is not one from a complete search, but it has searched through the registry and system32 and all those folders, and it found alot of nasty stuff, so hopefully it should be sufficient. If not, I'll make a new scan later if necessary and include the complete log (God that program takes forever haha!)

IMPORTANT NOTE 2:I have already tried using combofix following another thread with a user that seemed to have the same virus, with limited success. I therefore already have the Qoobox folder with some files quarantined inside. Just for your information, if you want me to remove it before continuing or something!

I appreciate all help!
 

Attachments

  • ESET Nod32 Log.txt
    143.7 KB · Views: 1
  • mbam-log-2010-05-10 (15-22-48).txt
    977 bytes · Views: 1
  • DDS.txt
    18.7 KB · Views: 1
  • Attach.txt
    20.1 KB · Views: 1
As for GMER, I don't see any log.
If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

I'd like to see combofix.txt file located in C folder
 
Oh haha, my bad, I missed uploading that one! Attaching both the gmer log and the combofix.txt in this post!

EDIT: I also have a ComboFix4.txt, but for some reason the "manage attachments" window keeps crashing when I try to upload it :S
 

Attachments

  • gmer.log
    17.3 KB · Views: 2
  • ComboFix2.txt
    27.6 KB · Views: 1
  • ComboFix3.txt
    27.5 KB · Views: 1
  • ComboFix.txt
    27.6 KB · Views: 3
I strongly suggest, you uninstall RegCure. Registry tools are not recommended and here is why: http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html

You're infected with a rootkit.

Please, delete your GMER file and...

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.
 
Thanks alot Broni for the quick answers!!

Regcure uninstalled, deleted old gmer file and just about to run the new one. Will post the log as soon as its done!
 
Crashed again, so i'm unchecking devices this time. It's required to turn off the anti-virus aswell isn't it? Will come with the result as soon as possible!
 
Unchecked devices and it worked just fine! Here comes the gmer log from a complete scan!
 

Attachments

  • gmer.log
    14.9 KB · Views: 5
Delete your Combofix file.
Download fresh one and...

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
TDL::
C:\WINDOWS\system32\drivers\pciide.sys


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
 
Here is the logs!

EDIT: Googling stuff doesn't give me any warnings at the moment :D
 

Attachments

  • hijackthis.log
    11.2 KB · Views: 1
  • combofix.txt
    24.9 KB · Views: 3
Very good :)
Let's double check.
Delete your GMER file and...

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.
 
wow GMER has to be the slowest scanning program EVER! haha anyway, it crashed when it was nearly done, im doing another scan later on today! :)
 
It looks good :)
Is ESET still complaining?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

====================================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

  • Spyware, Adware, Dialers, and other potentially dangerous programs
    [*] Archives
    [*] Mail databases
6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.
 
ESET has not been complaining at all :) No attacks, no trojans, nothing! I did a scan last night and it showed nothing aswell. Will follow the steps you posted now!

EDIT: Question, when i type in Combofix /Uninstall it makes combofix run just like it did before, asking me to accept the terms and conditions and stuff. Is it supposed to be that way?
 
Okey ran TFC, and the online scan, and it came up with 4 infected exe's, but I think they are false alarms really. Here's the log anyway!

NOTE: Scanning these files with ESET results in nothing, but Hitman Pro found malware. Shall I remove through Hitman? (Rushed and already deleted the first one haha :p)
 

Attachments

  • kasperskyscan.txt
    1.1 KB · Views: 2
Very good :)

when i type in Combofix /Uninstall it makes combofix run just like it did before, asking me to accept the terms and conditions and stuff. Is it supposed to be that way?
Delete Combofix manually....
Delete Combofix, Qoobox folders,and Combofix.txt file from C:
Delete Combofix from your desktop

======================================================================

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- C:\Program\Adobe\Adobe Illustrator CS3\TCommander.exe
- C:\Program\VentriloMIX\Ventrilo 2.2.0.exe
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.
If the result says 0/42, you don't have to post logs.
 
I already deleted TCommander.exe through ESET, I got a little rash and did stuff myself there.

However results for Ventrilo 2.2.0.exe was 12/40, here's the log! :)
 

Attachments

  • virustotallog.txt
    31.2 KB · Views: 1
Please, delete that file as well. Make sure, you empty Recycle Bin afterwards.
Give me fresh HJT log...
 
Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)



4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

O4 - HKLM\..\Run: [ISUSPM Startup] C:\Program\DELADE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program\Delade filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program\Delade filer\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe


5. Click on Fix checked button.

6. Restart computer.

7. Post new HijackThis log.
 
Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.
 
Thank you so much!!!!:D:D I have run defrag on both harddrives and downloaded Wot. Also fixed the system restore points like you instructed me. Everything seems to be running smooth now! Do you have any other helpful tips when it comes to speeding up the computer? :)
 
Status
Not open for further replies.
Back