Hellppppp!! Bad virus attack?

raz_uk

waddler_8 wrote: »

download this and save it to your desktop.

http://public.avast.com/~gmerek/aswMBR.exe

When you've downloaded it...

• Double click aswMBR.exe to run it (XP), or right click & choose "Run as Administrator" (Vista, Win7)
• Click Yes when prompted to scan with Avast virus definitions
  
• With the AVscan set to Quick Scan, click the Scan button.
  
  
• When the scan reports "Scan finished successfully", click Save log & save the log to your desktop.
• Click OK when prompted. aswMBR.txt & MBR.dat will be appear on your desktop.
• Click EXIT.
• Copy & paste the contents of aswMBR.txt & post it here.

Don't click to fix anything yet, just post the log.

I'm off to bed - I'll take a look in the morning.

Hi Waddler,

**UPDATE**

Some good news - my AVG has removed the bulk of the virus and things seems to be getting better now! Can access antivirus websites etc. Just worried about some obvious remnants of it - as I cannot access my windows firewall through the control panel, which is concerning.

Have ran the avast check on the main infected 'funnyman' profile. The previous log report was under the 'administrator' profile. Please check below and advise next steps to completely clear any rubbish left over:


aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-06-23 00:01:45

---

00:01:45.843 OS Version: Windows 5.1.2600 Service Pack 2
00:01:45.843 Number of processors: 1 586 0x408
00:01:45.843 ComputerName: NONE-Z8FONJOYNX UserName: Funny Man
00:01:47.046 Initialize success
00:07:11.234 AVAST engine defs: 13062201
00:07:21.328 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
00:07:21.375 Disk 0 Vendor: ST380011A 3.04 Size: 76319MB BusType: 3
00:07:21.625 Disk 0 MBR read successfully
00:07:21.625 Disk 0 MBR scan
00:07:21.890 Disk 0 Windows XP default MBR code
00:07:21.890 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76308 MB offset 63
00:07:22.312 Disk 0 scanning sectors +156280320
00:07:22.734 Disk 0 scanning C:\WINDOWS\system32\drivers
00:08:19.578 Service scanning
00:09:10.781 Modules scanning
00:09:38.828 Disk 0 trace - called modules:
00:09:38.859 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys atapi.sys viaide.sys PCIIDEX.SYS
00:09:38.859 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82d79ab8]
00:09:38.859 3 CLASSPNP.SYS[f858605b] -> nt!IofCallDriver -> \Device\0000006f[0x82d56f18]
00:09:38.859 5 ACPI.sys[f83fc620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82d45d98]
00:09:38.859 \Driver\atapi[0x82d3e7e0] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> prosync1.sys[0xf8a2f6c1]
00:09:40.406 AVAST engine scan C:\WINDOWS
00:09:48.765 AVAST engine scan C:\WINDOWS\system32
00:16:34.093 AVAST engine scan C:\WINDOWS\system32\drivers
00:17:24.078 AVAST engine scan C:\Documents and Settings\Funny Man
00:46:36.453 AVAST engine scan C:\Documents and Settings\All Users
00:48:37.296 Scan finished successfully
00:51:57.156 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Funny Man\Desktop\MBR.dat"
00:51:57.187 The log file has been saved successfully to "C:\Documents and Settings\Funny Man\Desktop\aswMBR.txt"

raz_uk

Sorry all just to bump this - so the scan log can be reviewed.

Regards

Ozzy89

Your system is clean, Good luck.

raz_uk

Ozzy89 wrote: »

Your system is clean, Good luck.

Thanks Ozz.

But since the virus has been removed - my windows firewall doesn't open, therefore am slightly anxious that some remnants of the virus have either caused some damage or are still lurking around.

For assurance, are there any other checks which can be done for completeness?

Many thanks,

raz_uk

Can anybody advise? Really worried about the firewall etc.

waddler_8

Sorry, I've been away for a few days.

Post me a DDS log - should take 2-3 minutes - then we'll see where we are.

Download DDS from the link below and save it to your desktop:

Link

After you've downloaded it and saved it to your desktop:

• Double click DDS to run it.
• Click Start
• When it's finished, DDS will open two logs:

1. DDS.txt
   
2. Attach.txt

Save both reports to your desktop.

Copy & paste the contents of just DDS.txt for now and post it here (you may need to split the log over separate posts)

raz_uk

waddler_8 wrote: »

Sorry, I've been away for a few days.

Post me a DDS log - should take 2-3 minutes - then we'll see where we are.

Download DDS from the link below and save it to your desktop:

Link

After you've downloaded it and saved it to your desktop:

• Double click DDS to run it.
• Click Start
• When it's finished, DDS will open two logs:

1. DDS.txt
   
2. Attach.txt

Save both reports to your desktop.

Copy & paste the contents of just DDS.txt for now and post it here (you may need to split the log over separate posts)

Thanks Waddler - good to see you back

Please see below:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Funny Man at 20:49:08 on 2013-06-26
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.511.243 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
\??\C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
\??\C:\PROGRA~1\AVG\AVG10\avgrsx.exe
\??\C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg10\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: eSnipsBHO Class: {B530A9A4-1722-4D16-AAD6-AA85E3AD2ADE} - c:\program files\logia\esnipsdownloader\eSnipsBHO.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: EnableLUA = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Download using LeechGet - c:\program files\leechget 2007\\AddUrl.html
IE: Download using LeechGet Wizard - c:\program files\leechget 2007\\Wizard.html
IE: Parse with LeechGet - c:\program files\leechget 2007\\Parser.html
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: DirectAnimation Java Classes - [URL]file://c:\windows\java\classes\dajava.cab[/URL]
DPF: Microsoft XML Parser for Java - [URL]file://c:\windows\java\classes\xmldso.cab[/URL]
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{25E0455C-02CB-4D04-B690-CC4E4A47E05A} : DHCPNameServer = 192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Name-Space Handler: HTTPS\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - <orphaned>
SEH: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - <orphaned>
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 82.192.86.132 !!!!!!!!!
Hosts: 82.192.86.132 www.!!!!!!!!!
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-1-19 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 255968]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-2-10 297168]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2012-1-31 7391072]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-3-30 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]
S3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\system32\drivers\k600bus.sys [2005-3-4 52384]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\system32\drivers\k600mdfl.sys [2005-5-11 6096]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\system32\drivers\k600mdm.sys [2005-5-11 87456]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\system32\drivers\k600mgmt.sys [2005-5-11 79248]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\k600obex.sys [2005-5-11 77072]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-3-26 114464]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2011-5-7 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2011-5-7 8576]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-2-29 44928]
S4 Fzcssvpgr;Fzcssvpgr; [x]
.
=============== File Associations ===============
.
FileExt: .reg: regfile=regedit.exe "%1" %*
.chm: <filetype is not registered>
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
.
============= FINISH: 20:50:33.34 ===============

waddler_8

Did you set those Hosts file entries yourself?


Download Farbar's Service Scanner from the link below and save it to your desktop.

LINK

• Double click FSS.exe to run it.
• Check (tick) the following checkboxes

• Internet Services
• Windows Firewall
• Security Center/Action Center
• Windows Update
• Other Services

• Click Scan
• When finished, notepad will open. Post the contents in your next reply.

The log can also be found on your desktop named FSS.txt

raz_uk

waddler_8 wrote: »

Did you set those Hosts file entries yourself?


Download Farbar's Service Scanner from the link below and save it to your desktop.

LINK

• Double click FSS.exe to run it.
• Check (tick) the following checkboxes

• Internet Services
• Windows Firewall
• Security Center/Action Center
• Windows Update
• Other Services

• Click Scan
• When finished, notepad will open. Post the contents in your next reply.

The log can also be found on your desktop named FSS.txt

hi Waddler,

Just checked with my brother - he added the oron hosts but NOT any others. Please see below from my FSS scan:

Farbar Service Scanner Version: 16-06-2013
Ran by Funny Man (administrator) on 26-06-2013 at 22:07:21
Running from "C:\Documents and Settings\Funny Man\Local Settings\Temporary Internet Files\Content.IE5\68I56U91"
Microsoft Windows XP Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of sharedaccess. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of sharedaccess. The value does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open sharedaccess registry key. The service key does not exist.
Checking LEGACY_sharedaccess: ATTENTION!=====> Unable to open LEGACY_sharedaccess\0000 registry key. The key does not exist.

Firewall Disabled Policy:
==================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking LEGACY_wuauserv: ATTENTION!=====> Unable to open LEGACY_wuauserv\0000 registry key. The key does not exist.

Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll
[2002-08-29 13:00] - [2006-05-19 13:59] - 0111616 ____A (Microsoft Corporation) EF545E1A4B043DA4C84E230DD471C55F
C:\WINDOWS\system32\Drivers\afd.sys
[2002-08-29 13:00] - [2008-08-14 10:51] - 0138368 ____A (Microsoft Corporation) 55E6E1C51B6D30E54335750955453702
C:\WINDOWS\system32\Drivers\netbt.sys
[2002-08-29 13:00] - [2004-08-03 23:14] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B
C:\WINDOWS\system32\Drivers\tcpip.sys
[2002-08-29 13:00] - [2008-06-20 11:45] - 0360320 ____A (Microsoft Corporation) 2A5554FC5B1E04E131230E3CE035C3F9
C:\WINDOWS\system32\Drivers\ipsec.sys
[2002-08-29 13:00] - [2004-08-03 23:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\system32\dnsrslvr.dll
[2002-08-29 13:00] - [2008-02-20 06:32] - 0045568 ____A (Microsoft Corporation) AAC8FFBFD61E784FA3BAC851D4A0BD5F
C:\WINDOWS\system32\ipnathlp.dll
[2002-08-29 13:00] - [2004-08-04 00:56] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF
C:\WINDOWS\system32\netman.dll
[2002-08-29 13:00] - [2005-08-22 19:29] - 0197632 ____A (Microsoft Corporation) 36739B39267914BA69AD0610A0299732
C:\WINDOWS\system32\wbem\WMIsvc.dll
[2005-04-29 21:32] - [2004-08-04 00:56] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E
C:\WINDOWS\system32\wscsvc.dll
[2005-04-29 21:53] - [2004-08-04 00:56] - 0081408 ____N (Microsoft Corporation) 4D59DAA66C60858CDF4F67A900F42D4A
C:\WINDOWS\system32\wbem\WMIsvc.dll
[2005-04-29 21:32] - [2004-08-04 00:56] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E
C:\WINDOWS\system32\wuauserv.dll
[2005-04-29 21:32] - [2004-08-04 00:56] - 0006656 ____A (Microsoft Corporation) 13D72740963CBA12D9FF76A7F218BCD8
C:\WINDOWS\system32\qmgr.dll
[2005-04-29 21:33] - [2004-08-04 00:56] - 0382464 ____A (Microsoft Corporation) 2C69EC7E5A311334D10DD95F338FCCEA
C:\WINDOWS\system32\es.dll
[2002-08-29 13:00] - [2008-07-07 21:32] - 0253952 ____A (Microsoft Corporation) 60D1A6342238378BFB7545C81EE3606C
C:\WINDOWS\system32\cryptsvc.dll
[2002-08-29 13:00] - [2004-08-04 00:56] - 0060416 ____A (Microsoft Corporation) 10654F9DDCEA9C46CFB77554231BE73B
C:\WINDOWS\system32\svchost.exe
[2002-08-29 13:00] - [2004-08-04 00:56] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\system32\rpcss.dll
[2002-08-29 13:00] - [2009-02-09 11:20] - 0399360 ____A (Microsoft Corporation) 01095FEBF33BEEA00C2A0730B9B3EC28
C:\WINDOWS\system32\services.exe
[2002-08-29 13:00] - [2009-02-06 18:14] - 0110592 ____A (Microsoft Corporation) 37561F8D4160D62DA86D24AE41FAE8DE

Extra List:
=======
Avgtdix(2) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x06000000050000000300000004000000020000000600000007000000
IpSec Tag value is correct.
**** End of log ****

waddler_8

The best thing to do is to update to Service Pack 3. Microsoft stopped supporting XP without it some time ago (July 13, 2010).

http://windows.microsoft.com/en-us/windows/help/what-does-end-of-support-mean

Download it from here: http://www.microsoft.com/en-us/download/details.aspx?id=24

Let me know when you've done that (may be a job for tomorrow).