Malware infection. Avast detects but need help to remove/clean

Hi,

I am a firm believer in the protection offered by Avast. I have been a client/fan of the free protection for years now. I did a stupid and downloaded from an unsecure source and ended up with what I think was antimalware doctor. In any case, I ran a bunch of different spyware/malwate/antiviruses and have yet to get rid of the problem.

I have used Spybot Search and destroy, MBAM, Kaspersky among others. I have a bunch of utilities onboard such as Process Explorer, RootkitRevealer, ESET, GetServices. These were mainly retrieved by trying to self-diagnose and clean up from the forum at Bleeping computer.

I have a copy of OTL on my computer.

As of this moment when I boot up, Avast warns me about MBR: \.\physicaldrive0 and reccomends it be deleted and another warning follows about \.\physicaldrive MBR: TDL4. When I open a browser, I get repeated warnings that a malicious URL has been blocked the address is 199.80.55.19 there are sometimes others.

I’m pretty fearless when it comes to searching for and diagnosing attacks, obviously this one is out of my league.

Care to give me a hand?

Hi.

Care to give me a hand?

If our colleagues from bleeping computer forums still working
on resolving your case?.. we should not interfere in order to not make changes to your system
and thus interfered with their reports, which sends a diagnostic tool as DDS,OTL/S,TDSS & MBR tools or some other AntiRootkit tool …(read: logs)

My advice is to wait for the Malware Fighters from that forum for further instructions.

I don’t know if this is the routine you followed to try and remove it, http://www.bleepingcomputer.com/virus-removal/remove-antimalware-doctor ?

However, this may well be being complicated/protected by the MBR rootkit.

Too start the ball rolling on that:

Guys,

Thanks for the quick response. I was running a full MalwareBytes Anti-Malware scan and it came up clean. It detected one Trojan, on May 3rd, but has not found anything of note since.

I’m not certain how to post scans on here, or logs, etc… I’m kinda good at some things, not tremendously well versed in others.

As for whether the guys at Bleeping computer are on this problem, the answer is no, I was simply (and probably somewhat naively) trying the process that seemed to have worked for others. To no avail. So here I am.

Ok, Avast detects that SVCHOST is trying to do some un authorized stuff. So far it blocks malicious attempts to connect to 95.143.93.138 and 199.80.55.19. There are browser redirects (I use Mozilla Firefox) as well.

As for Antimalware doctor. I adctually went into the registry editor and removed a couple of files that were associated with the Anti Malware Doctor. I don’t want to send you on a false path here, since I seem to have a cocktail of different threats onboard some of which were found and removed, some were not.

Latest popup by Avast, during the scan showed that C:\documents+settings\network suite NTauthority\localsettings\temporary internet file\content\IE5\WCZZYZZE\C_clckclOAK_com was blocked.

Some other news of note, I was and am probably still unable to download anti virus software. I was unable to get a full download of Kaspersky, or Super Anti Spyware, the download aborts after a couple hundred k and cannot resume.

Ok, I hope I’m not going around in circles for you guys. Just trying to give you stuff to work with.

Anyways, it seems I have something bad going on with SVCHOST.EXE best I can figure.

I’ll do the aswMBR.exe, not sure how to post it though…

Stellium

David,

Here is what it found

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-17 13:55:38

13:55:38.750 OS Version: Windows 5.1.2600 Service Pack 3
13:55:38.750 Number of processors: 1 586 0x303
13:55:38.750 ComputerName: JACQUES-01 UserName: jacques
13:55:39.234 Initialize success
13:55:43.296 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
13:55:43.312 Disk 0 Vendor: ST380215A 3.AAD Size: 76319MB BusType: 3
13:55:43.312 Device \Driver\atapi → DriverStartIo 8534b57b
13:55:45.343 Disk 0 MBR read successfully
13:55:45.343 Disk 0 MBR scan
13:55:45.343 Disk 0 TDL4@MBR code has been found
13:55:45.343 Disk 0 Windows XP default MBR code found via API
13:55:45.343 Disk 0 MBR hidden
13:55:45.343 Disk 0 MBR [TDL4] ROOTKIT
13:55:45.359 Disk 0 trace - called modules:
13:55:45.359 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8534b730]<<
13:55:45.359 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x853305e0]
13:55:45.359 3 CLASSPNP.SYS[f7848fd7] → nt!IofCallDriver → \Device\00000060[0x853952b8]
13:55:45.359 5 ACPI.sys[f77bf620] → nt!IofCallDriver → [0x85331d98]
13:55:45.375 \Driver\atapi[0x852fd030] → IRP_MJ_CREATE → 0x8534b730
13:55:45.375 Scan finished successfully
13:56:13.000 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\jacques.JACQUES-01\My Documents\MBR.dat”
13:56:13.000 The log file has been saved successfully to “C:\Documents and Settings\jacques.JACQUES-01\My Documents\aswMBR.txt”
13:58:54.234 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\jacques.JACQUES-01\My Documents\MBR.dat”
13:58:54.234 The log file has been saved successfully to “C:\Documents and Settings\jacques.JACQUES-01\My Documents\aswMBR.txt”

I took the liberty of adding color to the items that were highlighted by the aswMBR.exe scan.

Houston… We have a problem…

Stellium

  • scan again then click “FIX” and reboot
  • after reboot, scan again. then click “Save log” and post it in your next reply

After the fix, if the second report/log comes up clean, then MBAM and avast may find other things that were previously hidden. So run those scans again.

Pondus,

Scanned and fixed, it confirmed the fix and when it went to verify cleaning, computer hung… Reset computer and it seemed to re-boot clean (no Warnings from Avast)

Log seems clean.

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-17 14:23:39

14:23:39.312 OS Version: Windows 5.1.2600 Service Pack 3
14:23:39.312 Number of processors: 1 586 0x303
14:23:39.312 ComputerName: JACQUES-01 UserName: jacques
14:23:39.640 Initialize success
14:23:40.906 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
14:23:40.937 Disk 0 Vendor: ST380215A 3.AAD Size: 76319MB BusType: 3
14:23:43.000 Disk 0 MBR read successfully
14:23:43.000 Disk 0 MBR scan
14:23:43.000 Disk 0 Windows XP default MBR code
14:23:45.015 Disk 0 scanning sectors +156280320
14:23:45.031 Disk 0 scanning C:\WINDOWS\system32\drivers
14:23:51.265 Service scanning
14:23:52.546 Disk 0 trace - called modules:
14:23:52.562 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys PCIIDEX.SYS
14:23:52.562 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x853955e0]
14:23:52.562 3 CLASSPNP.SYS[f7848fd7] → nt!IofCallDriver → \Device\00000060[0x853cf2b8]
14:23:52.562 5 ACPI.sys[f77bf620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x853ccd98]
14:23:52.562 Scan finished successfully
14:24:14.812 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\jacques.JACQUES-01\My Documents\MBR.dat”
14:24:14.828 The log file has been saved successfully to “C:\Documents and Settings\jacques.JACQUES-01\My Documents\aswMBR2.txt”

Anything else?

Stellium

DavidR,

I’ll do a complete scan of both, Avast first, then MBAM. It could take a couple of hours, will post when done…

Stellium

OK and as David say, do a quick scan with MBAM to see if anything else comes up now
remeber to update it before you scan as there have been many MBAM updates today

Yes would have been better to start with the Quick MBAM scan as it may well be quicker and post the log.

An avast Quick scan would also be looming at the more important areas and would be quicker. You could follow that up with a Full System Scan if you wish.

Ok,

results so far.

Avast Full system scan - 3 viruses found, Alureon-G@mbr.[rtk] Removed
Avast Boot scan - 2 viruses found,

C:\documents and settings.…google\gijupo.class Java agent Exploit Removed
C:\documents and settings.…google\kilop.class Java agent Exploit Removed

MalwareBytes Anti Malware (updated today) Full system scan

Results

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6598

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/17/2011 7:13:01 PM
mbam-log-2011-05-17 (19-13-01).txt

Scan type: Full scan (C:|)
Objects scanned: 231596
Time elapsed: 1 hour(s), 15 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

I think that I’m making some progress.

What next? Remove temporary internet files? Create a restore point? Addistional scans with Spybot? SpyWareblaster? AdAware?

I await your instructions

Stellium

I would have removed temp files before running the scans, as that would reduce the content needing to be scanned, etc.

I don’t thing Spybot S&D or AdAware would bring much to the party. SpywareBlaster is a passive tool so you can’t actually run a scan with it.

I don’t know if you have a lot of old restore points, although avast didn’t find anything in there so they should be OK. So creation of a new restore point wouldn’t be bad as it is looking much better than it was.

However, I’m surprised that the avast scan found Alureon-G@mbr.[rtk], so I would check again with aswMBR.

DavidR,

Actually, it found that sort of thing on start-up, originally, it just didn’t fix it. Anyways here is the aswMBR.exe scan log

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-17 21:04:27

21:04:27.703 OS Version: Windows 5.1.2600 Service Pack 3
21:04:27.703 Number of processors: 1 586 0x303
21:04:27.703 ComputerName: JACQUES-01 UserName: jacques
21:04:28.234 Initialize success
21:04:30.203 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
21:04:30.203 Disk 0 Vendor: ST380215A 3.AAD Size: 76319MB BusType: 3
21:04:32.250 Disk 0 MBR read successfully
21:04:32.250 Disk 0 MBR scan
21:04:32.250 Disk 0 Windows XP default MBR code
21:04:34.265 Disk 0 scanning sectors +156280320
21:04:34.296 Disk 0 scanning C:\WINDOWS\system32\drivers
21:04:40.734 Service scanning
21:04:41.937 Disk 0 trace - called modules:
21:04:41.937 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys PCIIDEX.SYS
21:04:41.937 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x853955e0]
21:04:41.953 3 CLASSPNP.SYS[f7848fd7] → nt!IofCallDriver → \Device\00000060[0x853cf2b8]
21:04:41.953 5 ACPI.sys[f77bf620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x853ccd98]
21:04:41.953 Scan finished successfully
21:05:03.968 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\jacques.JACQUES-01\My Documents\MBR.dat”
21:05:03.984 The log file has been saved successfully to “C:\Documents and Settings\jacques.JACQUES-01\My Documents\aswMBR3.txt”

Seems ok to me. What do you think?

Stellium

Looks OK to me too, generally the aswMBR tool is very clear if you have a Rootkit.