I seem to be having the same problem as a few others here.
http://forum.avast.com/index.php?topic=80917.0
http://forum.avast.com/index.php?topic=80988.0
Currently running aswMBR and Malwarebytes, will post results when done. I also ran TDSSKiller.exe but nothing showed up.
Yesterday is when the problem started and i ran a few full system scans and boot time scans and removed 970 files. Then i updated to FF5 and everything was fine except no google tool bar with FF5 so i ran the compatibility thing to get the tool bar back and the problem returned. Removed the toolbar but the problem has remained.
All help is welcome
Chris
Wanted to add that the IP being blocked is the same as in one of the other links listed 64.111.211.158
Malwarebytes’ Anti-Malware 1.51.0.1200
www.malwarebytes.org
Database version: 7020
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
7/4/2011 3:36:39 PM
mbam-log-2011-07-04 (15-36-39).txt
Scan type: Full scan (C:|D:|)
Objects scanned: 406400
Time elapsed: 57 minute(s), 48 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID{0F9E81F1-8C60-4D6E-B526-C65FBFD9CBAb} (Trojan.Tracur.Gen) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{0F9E81F1-8C60-4D6E-B526-C65FBFD9CBAB} (Trojan.Tracur.Gen) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT.fsharproj (Trojan.BHO) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG32 (Trojan.Tracur) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dot3svc32 (Trojan.Tracur) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry32 (Trojan.Tracur) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator32 (Trojan.Tracur) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess32 (Trojan.Tracur) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV32 (Trojan.Tracur) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv32 (Backdoor.Agent) → Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Windows\System32\api-ms-win-core-misc-l1-1-032.dll (Trojan.Tracur.Gen) → Quarantined and deleted successfully.
c:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-032.dll (Trojan.Tracur.Gen) → Quarantined and deleted successfully.
aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-07-04 14:08:48
14:08:48.276 OS Version: Windows x64 6.1.7600
14:08:48.276 Number of processors: 4 586 0x502
14:08:48.277 ComputerName: CHRIS-PC UserName: Chris
14:08:49.616 Initialize success
14:08:49.915 AVAST engine defs: 11070400
14:08:55.954 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\00000058
14:08:55.956 Disk 0 Vendor: Hitachi_ STDO Size: 610480MB BusType: 3
14:08:57.970 Disk 0 MBR read successfully
14:08:57.971 Disk 0 MBR scan
14:08:57.974 Disk 0 unknown MBR code
14:08:57.977 Service scanning
14:08:59.199 Disk 0 trace - called modules:
14:08:59.211 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys
14:08:59.213 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8005e5c060]
14:08:59.216 3 CLASSPNP.SYS[fffff880018f743f] → nt!IofCallDriver → [0xfffffa80059e9e40]
14:08:59.219 5 ACPI.sys[fffff88000e45781] → nt!IofCallDriver → \Device\00000058[0xfffffa80058e84a0]
14:09:00.090 AVAST engine scan C:\Windows
14:26:10.848 AVAST engine scan C:\Users\Chris
15:30:47.006 AVAST engine scan C:\ProgramData
15:47:44.141 Scan finished successfully
15:48:54.628 Disk 0 MBR has been saved successfully to “C:\Users\Chris\Downloads\MBR.dat”
15:48:54.632 The log file has been saved successfully to “C:\Users\Chris\Downloads\aswMBR.txt”
What next? A quick test show the problem is gone but i haven’t rebooted yet. Going to do that now.
Problem returned after reboot. Not sure what i should do. Im pretty much a n00b when it comes to things like this.
There are probably still some malware files on the system
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.
Download OTS to your Desktop
[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
[*]Under the Custom Scan box paste this in
%SYSTEMDRIVE%*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
CREATERESTOREPOINT
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.
Thank you, doing this now
system
10
malwarebytes is now blocking what ever is happening
Let me know if they continue after this
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\] > ->
YN -> HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\: URLSearchHooks\\"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< FireFox Extensions [User Folders] > ->
YY -> XUL Cache -> C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{57427a7e-7448-4510-9ee0-34a6e752b42c}
YY -> ShopToWin13 -> C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{b9dbe2c0-031f-4cad-911a-f4a7381d79c0}
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\] > -> HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{30F9B915-B755-4826-820B-08FBA6BD249D}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY -> iscsied32.dll -> C:\ProgramData\iscsied32.dll
NY -> Free Offers from Freeze.com -> C:\Program Files (x86)\Free Offers from Freeze.com
[Files/Folders - Modified Within 30 Days]
NY -> 573779942 -> C:\Windows\SysWow64\573779942
NY -> iscsied32.dll -> C:\ProgramData\iscsied32.dll
[Files - No Company Name]
NY -> 573779942 -> C:\Windows\SysWow64\573779942
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
This is no sign of malfunction, do not panic!
system
12
Ran the fix but it appears to have gotten stuck a few times. No log was given to me after the scan just a message saying that the system needs to restart so i clicked yes but nothing happened. No restart and OTS is just sitting there.
system
13
Restarted the system myself and all seems fine. Wish i could have provided the report you wanted but it was never shown. If it was saved in OTS somewhere and you can tell me how to access it i will post it ASAP.
Thank you so much!
Chris
system
14
Spoke too soon, its back. What next?
system
15
Ran fix again and the same thing happened, no report just prompt to restart but no restart.
system
16
Bump for the early morning crowd ;D Dont know what to do right now. Seeing new threads started about the same thing
OK that tells me that there is a protector hiding on the system - so bigger hammer
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[]Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
system
18
system
19
Looks like its all cleared up now but ill wait to see what you think of this last report.
-------\Service_RpcSs32
-------\Service_wmiApSrv32
There we go two dead hidden drivers ;D
Firefox was also compromised and cleared
Could you now run a fresh Malwarebytes scan please as some orphans may have been revealed.
Any further problems