Repeated Attacks

Viruses and worms
1

I’m new to the Forum and to Avast, so thanks for any help. My PC suffered a massive attack of malware two days ago, and when I finally got it as cleaned up as I could, I installed Avast (the free version).

What I’m finding is that it is alerting me to repeated attacks, on the frequency of one every couple of minutes, from one of two different types of . This is when the computer is idle. No browsing going on. What I don’t know is if these are false positives (since it it the same two URLs), in which case I can remove them from the list, or not. I don’t see a way to copy the URLs and then check online.

One is a Malicious URL Blocked alert, using the Windows\system32\svchost.exe process
The other is a Malware Blocked alert using win32:malware-gen on the windows\system32\services.exe

I could just turn off the audible and visual alert so it doesn’t go off all the time. But I’d rather know if the threat is real first.

Thanks,
Chris

2

Nope you have an infection

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Local\AutoProxyCache /s
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

THEN

Download aswMBR.exe ( 4.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://dl.dropbox.com/u/73555776/aswMBRscan.png

On completion of the scan click save log, save it to your desktop and post in your next reply

http://dl.dropbox.com/u/73555776/aswMBRlog.png

3

Thanks for your help. Here is the ASW log:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-02 17:38:18

17:38:18.471 OS Version: Windows x64 6.0.6002 Service Pack 2
17:38:18.471 Number of processors: 4 586 0x170A
17:38:18.471 ComputerName: HOMEDESKTOP UserName: Jay & Colin
17:38:24.041 Initialize success
17:38:24.119 AVAST engine defs: 12080201
17:39:17.003 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
17:39:17.003 Disk 0 Vendor: ST3750528AS CC44 Size: 715404MB BusType: 3
17:39:17.034 Disk 0 MBR read successfully
17:39:17.049 Disk 0 MBR scan
17:39:17.049 Disk 0 Windows VISTA default MBR code
17:39:17.096 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 70 MB offset 63
17:39:17.096 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15360 MB offset 145408
17:39:17.112 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 699972 MB offset 31602688
17:39:17.127 Disk 0 scanning C:\Windows\system32\drivers
17:39:26.331 Service scanning
17:39:40.153 Modules scanning
17:39:40.153 Disk 0 trace - called modules:
17:39:40.184 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
17:39:40.699 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8007b8b6f0]
17:39:40.699 3 CLASSPNP.SYS[fffffa6000ba3c33] → nt!IofCallDriver → [0xfffffa800794c520]
17:39:40.699 5 acpi.sys[fffffa60008fdfde] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8007951940]
17:39:41.838 AVAST engine scan C:\Windows
17:39:45.395 AVAST engine scan C:\Windows\system32
17:42:25.561 AVAST engine scan C:\Windows\system32\drivers
17:42:51.005 AVAST engine scan C:\Users\Jay & Colin
17:44:16.415 Disk 0 MBR has been saved successfully to “C:\Users\Jay & Colin\Desktop\MBR.dat”
17:44:16.415 The log file has been saved successfully to “C:\Users\Jay & Colin\Desktop\aswMBR.txt”

The OTL scan only produced one file. It was very long. i’m trying to attach it.

Thanks again for your help.

Chris

4

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=nv1&chnl=nv1&cd=2XzutAtN2Y1L1QzutDtDtByEtB0CyB0Czz0DtAtAyE0CtC0BtN0D0TzutBtDtCtBtDyCtBzz&cr=1334050472 IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=nv1&chnl=nv1&cd=2XzutAtN2Y1L1QzutDtDtByEtB0CyB0Czz0DtAtAyE0CtC0BtN0D0TzutBtDtCtBtDyCtBzz&cr=1334050472 IE - HKLM\..\SearchScopes,Backup.Old.DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=nv1&chnl=nv1&cd=2XzutAtN2Y1L1QzutDtDtByEtB0CyB0Czz0DtAtAyE0CtC0BtN0D0TzutBtDtCtBtDyCtBzz&cr=1334050472 IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\S-1-5-21-2314686089-3322116631-1230487069-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=nv1&chnl=nv1&cd=2XzutAtN2Y1L1QzutDtDtByEtB0CyB0Czz0DtAtAyE0CtC0BtN0D0TzutBtDtCtBtDyCtBzz&cr=1334050472 IE - HKU\S-1-5-21-2314686089-3322116631-1230487069-1000\..\SearchScopes,DefaultScope = {105E99FF-8B9A-4492-B155-06194B9056D2} IE - HKU\S-1-5-21-2314686089-3322116631-1230487069-1000\..\SearchScopes\{105E99FF-8B9A-4492-B155-06194B9056D2}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=nv1&chnl=nv1&cd=2XzutAtN2Y1L1QzutDtDtByEtB0CyB0Czz0DtAtAyE0CtC0BtN0D0TzutBtDtCtBtDyCtBzz&cr=1334050472 FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{29709093-DB16-11E1-8270-B8AC6F996F26}: C:\Users\Jay & Colin\AppData\Local\{29709093-DB16-11E1-8270-B8AC6F996F26}\ [2012/07/31 09:46:51 | 000,000,000 | ---D | M] O3 - HKU\S-1-5-21-2314686089-3322116631-1230487069-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O4:64bit: - HKLM..\Run: [nrazro] "C:\Users\Jay & Colin\AppData\Roaming\nrazro.dll",GC_UnTrack File not found [2012/06/28 12:40:27 | 000,302,425 | ---- | C] () -- C:\Users\Jay & Colin\AppData\Local\funmoods-speeddial.crx

:Files
ipconfig /flushdns /c
C:\Windows\Installer{9e4b1ce6-da8e-c24f-3fd4-fcb5f1a45b30}
C:\Users\Jay & Colin\AppData\Local{9e4b1ce6-da8e-c24f-3fd4-fcb5f1a45b30}

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

FINALLY

run farbar service scanner

https://dl.dropbox.com/u/73555776/FSS.GIF

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

5

OK. I don’t know how effective the OTL Run Fix was because the program seemed to stop responding. But it did generate a log. When I ran Combofix it told me a system file was infected.

I am going to post three replies, each with one log file because doing all three together exceeds the character limit for messages.

I appreciate the detailed help.
Chris

6

That didn’t work. so I’m attaching the three log files

First the OTL

7

Now the ComboFix

8

And lastly FSS

9

Bit more to do

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
FCopy:: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe|c:\windows\system32\Services.exe
Save this as [b]CFScript.txt[/b], in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

THEN

Download the attached regfile to your desktop

https://dl.dropbox.com/u/73555776/bits_vista.reg

Right click and select merge
Accept the warnings
Reboot

10

I’m attaching the new ComboFix log file.

I tried downloading the reg file, but I could not see a Merge command when I right-clicked. It produced a webpage of text commands, but nothing that gave the option of merging. Can you give me more detailed explanation of what to do in that step?

Thanks!

Chris

11

Could you right click the link and select “Save target as…”

The once downloaded riight click and select merge

Once done could you let me know what problems remain