Colexity/Espeak Malware

Hi,

I’ve been having trouble with a virus or malware lately and dowloaded Avast to help with it. A popup from Avast comes up every 30 seconds or so saying “Malicious URL Blocked” with the address of Espeak or Colexity or another IP address, just those three. I’ve followed the instructions on the Logs to Assist in Cleaning Malware thread, and I’ll post the logs below. Thank you in advance to anyone who can help me!!

Ran Malwarebytes and it didn’t find anything. Here is the log:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.18.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: AMANDA [administrator]

8/17/2012 10:43:39 PM
mbam-log-2012-08-17 (22-43-39).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 184170
Time elapsed: 18 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Attached OTL log and extras.

Log from aswMBR:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-17 23:45:05

23:45:05.765 OS Version: Windows 5.1.2600 Service Pack 3
23:45:05.765 Number of processors: 1 586 0x209
23:45:05.765 ComputerName: AMANDA UserName:
23:45:11.656 Initialize success
23:45:18.671 AVAST engine defs: 12081701
23:45:48.000 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
23:45:48.000 Disk 0 Vendor: ST340014A 3.16 Size: 38146MB BusType: 3
23:45:48.000 Device \Driver\atapi → DriverStartIo 89a992e2
23:45:48.000 Disk 0 MBR read successfully
23:45:48.000 Disk 0 MBR scan
23:45:48.093 Disk 0 Windows XP default MBR code
23:45:48.093 Disk 0 MBR hidden
23:45:48.093 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 38138 MB offset 63
23:45:48.109 Disk 0 scanning sectors +78108030
23:45:48.171 Disk 0 scanning C:\WINDOWS\system32\drivers
23:46:04.687 Service scanning
23:46:16.390 Service MpKsl47abd0a9 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates{EAF702C3-C118-4F61-AADC-E1CD30AC79DF}\MpKsl47abd0a9.sys LOCKED 32
23:46:29.937 Modules scanning
23:47:04.359 Disk 0 trace - called modules:
23:47:04.359 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89a994b1]<<
23:47:04.359 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a133ab8]
23:47:04.359 3 CLASSPNP.SYS[f7637fd7] → nt!IofCallDriver → [0x8a154628]
23:47:04.359 \Driver\atapi[0x89b88030] → IRP_MJ_CREATE → 0x89a994b1
23:47:04.812 AVAST engine scan C:\WINDOWS
23:47:19.265 AVAST engine scan C:\WINDOWS\system32
23:50:31.562 AVAST engine scan C:\WINDOWS\system32\drivers
23:50:45.281 AVAST engine scan C:\Documents and Settings\Administrator
00:00:52.687 AVAST engine scan C:\Documents and Settings\All Users
00:02:00.156 Scan finished successfully
00:03:07.843 Disk 0 MBR has been saved successfully to “E:\MBR.dat”
00:03:07.984 The log file has been saved successfully to “E:\aswMBR.txt”

[list]
Multiple Antivirus Programs

You are running more than 1 Antivirus program!

AV: AVAST Software
AV: AVG Technologies

Running - more than one - antivirus program is not recommended because:
[*]They can conflict with each other.
[*]Report the other antivirus software as malicious.
[*]Antivirus programs use an enormous amount of computer’s resources… actively scanning your computer.
[*]Can cause your computer to become unstable…run slowly and even, in rare cases, BSOD crash…etc
I suggest you to uninstall AVG antivirus .

Then download AVG uninstaller to remove AVG leftovers:
http://singularlabs.com/uninstallers/security-software/


Step1

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.


Step2

Download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please post the contents of that log in your next reply.

Thank you SO SO much for helping me!

I uninstalled AVG and its leftovers.
Ran Combofix, and attached the log.

Also, Combofix says I have the Rootkit Zero Access.

Here’s the log from TDSSKiller

Hm…this variant of ZeroAccess rootkits have some differents loading points…

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

In this run, allow Combofix to download and install his recovery console!


Open notepad and copy/paste the text present inside the code box below:



KillAll::

MBR::

Reboot::

Folder::
c:\documents and settings\NetworkService\Local Settings\Application Data\{1e88cbe8-e803-f507-4f4b-5496d76e870e}
c:\windows\Installer\{1e88cbe8-e803-f507-4f4b-5496d76e870e}

Firefox::
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3vy8u4t3.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

RegLock::
[HKEY_USERS\S-1-5-21-436374069-920026266-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,50,76,5f,01,d2,87,40,83,19,8d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,50,76,5f,01,d2,87,40,83,19,8d,\


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )


Then…

[*]Re-run TDSSKiller.exe and click on Change parametres.
[*]Under Additional options check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
[*]Click on Start Scan.
[*]If an infected file is detected, the default action will be Cure, click on
[*]If a suspicious file is detected, the default action will be Skip, click on Continue.
[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.
[*]Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the [b]C:[/b] directory.

There’s an error everytime Combofix tries to install the recovery console. The internet connection quits working after I run Combofix. I’ve tried restarting, and trying again but it didn’t help.

The log for the TDSkiller Report is attached.
I’m going to try and run Combofix one more time with the code you supplied.

Here’s the log for the Combofix run.

Hi,
Please re-run TDSSKiller as before (with change parametres ) and use Delete option for this entry:

\Device\Harddisk0\DR0 ( TDSS File System )

How is your computer running now? 8)

When I ran again & deleted the thing you said, Avast popped up and said Rootkit blocked. So, yay, right? :slight_smile: Is it all gone?

It’s running great, no problems! Do I need to worry about the recovery console not being installed?

We will need to check that again.

Temporaly disable avast antivirus.
Delete current TDSSKiller and download fresh one. ( you also may delete old TDSSKiller reports in C:\ TDSSKiller_tame_date )
Re-run TDSSKiller as before with change parametres and attach here fresh TDSSKiller logrepor.


Delete old aswMBR and download fresh one. Re-run as you did before and attach here fresh aswMBR.txt

I’ve attached both the logs. By the way, you are my hero. ;D

Yap … rootkits are gone. We will remove all used tools…

It is necessary to uninstall the ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

Re-run OTL and click on CleanUp! button

Mkay, did the cleanup. Is that all I need to do? Thank you so much for your help, this was driving me crazy.

Yap ;D