My Computer was attacked by siszyd32.I removed it with freefixer but I get a message saying services.exe is trying to send email.Please Help me.
You have probably only removed part of the infection
To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.
Download OTS to your Desktop
[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[]Under Additional Scans check the following:
[]Reg - Shell Spawning
[]File - Lop Check
[]File - Purity Scan
[*]Evnt - EvtViewer (last 10)
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
/md5stop
%systemroot%*. /mp /s
%systemroot%\system32*.dll /lockedfiles
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
I’m getting an error message “Invalid Time Flag”
Delete these two elements from the custom scan and re-run
%systemroot%*. /mp /s
%systemroot%\system32*.dll /lockedfiles
Do you get avast telling you that some .dll file in windows/system32 could be a virus?
Here is the logfile
http://www.mediafire.com/?5m5kyimjiiy
My apologies for the delay I must have missed the notification - could you attach the log please
Here is the log.
I see you have Combofix on your system, when I ask you to run it, it will request an update allow it to do so
Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY -> ehiqg.sys -> C:\WINDOWS\System32\drivers\ehiqg.sys
NY -> fjhdyfhsn.bat -> C:\WINDOWS\System32\fjhdyfhsn.bat
[Files - No Company Name]
NY -> ehiqg.sys -> C:\WINDOWS\System32\drivers\ehiqg.sys
NY -> fjhdyfhsn.bat -> C:\WINDOWS\System32\fjhdyfhsn.bat
[Empty Temp Folders]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.
I will review the information when it comes back in.
THEN
Run combofix please
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
The problem is still there.Here is the OTS log.
Could you now run Combofix please - allowing it to update
Ran Combofix. Here is the log.
[url]http://www.mediafire.com/?mtjm25y0cyw/url]
I think the problem is solved.Thanks for all your help.But,if you don’t mind,can you explain to me what OTS and Combofix actually did?
OTS removed the respawning files and combofix removed the drivers and rootkit
Did you change your tcpip file yourself ?
2010-01-01 08:20 . 2010-01-01 08:20 359040 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINALas they both fail the signature check
2010-01-01 08:20 . 2004-08-03 12:14 359040 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
Lets see if we can find a good copy
http://www.geekstogo.com/misc/guide_icons/OTLI.gif
OTL
[*]Download OTL to your Desktop
[*]Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Under the Custom Scan box paste this in:
[b]netsvcs
/md5start
TCPIP.SYS
nvstor32.sys
/md5stop
[/b]
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan won’t take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into your reply.
I changed the TCPIP.sys myself to increase the number of half-open ports.
OK that would explain the sigcheck failure - what problems do you have now ?
The problem is still there, but today, my Guardian Antivirus DNAScan notified me of a file MBR.exe which it immediately quarantined. Is it dangerous?
There is a list of quarantined files.Can you tell me what I should do with them?Here is the list.
~TM1A.tmp
hidec.exe
SWSC.exe
SWREG.exe
PEV.exe
MBR.exe
A0022738.exe
A0022804.exe
A0024724.exe
A0024870.exe
A0025001.exe
Now the best part of the day ----- Your log now appears clean
A good workman always cleans up after himself so…Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems
Upgrading Java:
[*]Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 17.
[*]Click the “Download” button to the right.
[*]Select your Platform and check the box that says: “I agree to the Java SE Runtime Environment 6 License Agreement.”.
[*]Click on Continue.
[*]Click on the link to download Windows Offline Installation (jre-6u17-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager…
[*]Close any programs you may have running - especially your web browser.
[*]Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the Remove or Change/Remove button.
[*]Repeat as many times as necessary to remove each Java version.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u16-windows-i586-p.exe and select “Run as an Administrator.”)
XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
[*]Select Start > All Programs > Accessories > System tools > System Restore.
[*]On the dialogue box that appears select Create a Restore Point
[*]Click NEXT
[*]Enter a name e.g. Clean
[*]Click CREATE
You now have a clean restore point, to get rid of the bad ones:
[*]Select Start > All Programs > Accessories > System tools > Disk Cleanup.
[*]In the Drop down box that appears select your main drive e.g. C
[*]Click OK
[*]The System will do some calculation and the display a dialogue box with TABS
[*]Select the More Options Tab.
[*]At the bottom will be a system restore box with a CLEANUP button click this
[*]Accept the Warning and select OK again, the program will close and you are done
VISTA
To manually create a new Restore Point
[*]Go to Control Panel and select System and Maintenance
[*]Select System
[*]On the left select Advance System Settings and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create
Now we can purge the infected ones
[*]Go back to the System and Maintenance page
[*]Select Performance Information and Tools
[*]On the left select Open Disk Cleanup
[*]Select Files from all users and accept the warning if you get one
[*]In the drop down box select your main drive i.e. C
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete
You are now done
SPRING CLEAN
Download TFC to your desktop
[*]Open the file and close any other windows.
[*]It will close all programs itself when run, make sure to let it run uninterrupted.
[*]Click the Start button to begin the process. The program should not take long to finish its job
[*]Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
THEN
Download and run Auslogics Disc Defragmenter
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[]SpywareBlaster to help prevent spyware from installing in the first place.
[]SuperAntispyware Run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To keep your operating system up to date visit
[*]Microsoft Windows Update
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe
Actually I get the message again from Guardian saying C:\Windows\System32\services.exe is trying to send emails.Do you want to add it as a legal mail client?If I click No,it appears again.I checked the MD5 Hash of the services.exe file with the ones available on Internet to check whether it is a malware or not.It matched with the original ones.So what should I do? Sorry for the troubles.