aswMBR finds but cannot fix

Dear friends,
I have these 2 problems for a few months.:
  1. My chrome/ie explorer/firefox would always search with “globasearch.com” . I first uninstalled it and then removed from preferences, also cleared things like: " c:\program files\internet explorer\ie.exe globasearch.com"

For a month or two i thought it was gone… Then something weird started to happen. Only once after each time i have a full antivirus scan, or fix MBR ; when i write to the address bar of chrome to search , it searches with a “google partner” , not showing “globasearch.com” this time. It feels like CIS virus years ago. You would fdisk the machine and after tens of times , it would popup “Ha ha ha ! You still couldn’t delete me!”

  1. On avast and comodo, and sometimes on windows update, i cannot update the virus definitions.

I scanned today with aswMBR and here’s the log output:

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-05-10 18:28:18

18:28:18.689 OS Version: Windows 6.1.7601 Service Pack 1
18:28:18.689 Number of processors: 2 586 0x1C02
18:28:18.695 ComputerName: COMPNAME UserName:
18:28:19.585 Initialize success
18:28:19.969 AVAST engine defs: 13040700
18:28:54.172 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
18:28:54.181 Disk 0 Vendor: Hitachi_HTS543216L9SA00 FB2OC40C Size: 152627MB BusType: 3
18:28:54.272 Disk 0 MBR read successfully
18:28:54.283 Disk 0 MBR scan
18:28:54.298 Disk 0 Windows 7 default MBR code
18:28:54.313 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 84810 MB offset 63
18:28:54.361 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 62761 MB offset 173694780
18:28:54.413 Disk 0 Partition 3 00 0C FAT32 LBA MSDOS5.0 5004 MB offset 302230845
18:28:54.471 Disk 0 Partition 4 00 EF EFI FAT A1359 47 MB offset 312480315
18:28:54.530 Disk 0 scanning sectors +312576705
18:28:54.710 Disk 0 scanning C:\Windows\system32\drivers
18:29:43.197 Service scanning
18:35:44.718 Service sptd C:\Windows\System32\Drivers\sptd.sys LOCKED 32
18:35:46.198 Service Spyshelter C:\Program Files\SpyShelter Personal Free\SpyShelter.sys LOCKED 32
18:37:33.928 Modules scanning
18:38:05.373 Disk 0 trace - called modules:
18:38:05.460 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x865301f8]<<
18:38:05.489 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x866e4030]
18:38:05.515 3 CLASSPNP.SYS[89b9259e] → nt!IofCallDriver → [0x86591918]
18:38:05.543 5 ACPI.sys[895ba3d4] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0x865fd030]
18:38:05.570 \Driver\atapi[0x865fbf38] → IRP_MJ_CREATE → 0x865301f8
18:38:06.431 AVAST engine scan C:\Windows\System32
18:45:22.881 File: C:\Windows\System32\csrsrv.dll INFECTED Win32:Aluroot-B [Rtk]
18:55:55.239 File “C:\Windows\System32\csrsrv.dll” has been saved successfully to:
18:55:55.240 “D:\linux rescues untried\copy_csrsrv.dll”
19:03:19.148 Scan finished successfully
19:04:26.807 Disk 0 MBR has been saved successfully to “C:\Users\LauraHikgen\Desktop\MBR.dat”
19:04:26.845 The log file has been saved successfully to “C:\Users\LauraHikgen\Desktop\aswMBR.txt”

Please disregard sptd.sys and SpyShelter.sys , as they are legitimate files .

Btw, i already tried Rkill ,combofix and at least 20 different antivirus and rootkit detectors. None works.

Thanks!

Hi there lets confirm that aswmbr cured it and also look for any other miscreants

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please attach its contents on your next reply.

THEN

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

I use a simple netbook thats why the scans take long.

Attached!

First a question … Did you set the proxies in IE and Firefox ?

TDSSKiller shows no problem with that file, is AswMBR still reporting it ?

Could you attach the combofix log please

No i didn’t set any proxies. I used an anti malware program called “Hitman Pro” , it kept saying that there is a proxy on 127.0.0.1 : 59333
I blocked 59333 inbound and outbound for both TCP and UDP.

Yes AswMBR keeps reporting it.

Ok i will run Combofix again and send you the log, i think i deleted the log of the last scan i made about 2 weeks ago.

By the way, when i open ie,firefox, chrome, there are no proxies.

OK you are the second one to show this file in aswmbr, in both cases it is the only programme reporting it

I believe this to be a false positive, does a standard Avast scan find it ?

OK lets kill the proxies

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:59333
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:59333
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 8118

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I ran combofix and it simply wouldnt start the “stage” s . So i closed it and ran on safe mode.

The combofix log is in the attachment.

About OTL, i ran the fix but it gave me an error about the " prefs.js " . I clicked “OK” , it went on running. It said : "Processing FF - prefs.js…network.proxy.http: “127.0.0.1” ← But it kept saying this for 20 minutes so i had to restart.

Btw, no, the standard Avast cannot find it.

OK lets ensure that the proxies are reset. I have passed this to Avast as an FP

Please download MiniToolBox, save it to your desktop and run it.

https://dl.dropbox.com/u/73555776/minitoolbox.JPG

Checkmark the following checkboxes:

[]Flush DNS
[
]Report IE Proxy Settings
[]Reset IE Proxy Settings
[
]Report FF Proxy Settings
[]Reset FF Proxy Settings
[
]List content of Hosts
[]List IP configuration
[
]List Winsock Entries
[]List last 10 Event Viewer log
[
]List Installed Programs
[]List Devices
[
]List Users, Partitions and Memory size.
[*]List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using “Reset FF Proxy Settings” option Firefox should be closed.

Okay i figured out OTL didn’t run the fix you sent me because of a program i have that continously warns about system settings change. I always would select “ok it can run” but that time because OTL closed everything, i couldnt see the warning window.

So i just closed my program and let OTL run with the fix. It did it flawlessly, it rebooted also. And i also ran quick scan after the boot.

Minitoolbox is done also.

All of the logs are in attachment.

Looks good, any problems ?

Actually i still cant update avast…

Set Avast connection to direct … Does that work

Settings > Updates > Proxy settings

Before your last message, i wanted to uninstall and reinstall avast again. When i went for uninstalling, i found an “update” option there. I clicked and it started updating. But it didnt feel like an incremental update because it lasted a long time.

I restarted the machine and wanted to update avast from the program itself, it didn’t work.

With direct connection method you said, it worked. But weird, it should work with internet explorer settings also , because i have no proxy set there.

I ran AswMBR once again and now it didn’t detect the virus i mentioned at the very beginning of this topic. ( c:\windows\system32\csrsrv.dll ) .

But these are RED in the scan ( as they were before cleaning the virus also ):

21:07:07.132 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x865341f8]<<

21:07:07.253 \Driver\atapi[0x865d0720] → IRP_MJ_CREATE → 0x865341f8

I agree 'tis weird as the proxies were removed. But all is well now ?

For avast, yes.

But i installed Comodo antivirus back again beside Avast, to check if it can not connect like before.

And i found out that Comodo cannot update. I checked the options and saw on the proxy panel that there is no such thing like “use internet explorer settings”. You just manually enter the proxy yourself. It’s blank and Comodo still can not update…

Alas I know nothing about Comodo, but you should not use the AV part at the same time as Avast is running

I know. I disabled Avast while trying out Comodo