Avast WEBforum

Other => Viruses and worms => Topic started by: malik99 on August 08, 2013, 04:58:30 PM

Title: Hidden service found [aswMBR]
Post by: malik99 on August 08, 2013, 04:58:30 PM

I scanned my pc with aswmbr and found hidden service dll something and after that i got a blue screen error,now i dont't find that hidden service again.

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-08-08 17:47:16
-----------------------------
17:47:16.972    OS Version: Windows x64 6.1.7600
17:47:16.972    Number of processors: 4 586 0x403
17:47:16.972    ComputerName: FENRIS-PC  UserName: Fenris
17:47:17.142    Initialize success
17:47:39.194    AVAST engine defs: 13080800
17:47:45.764    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
17:47:45.764    Disk 0 Vendor: SAMSUNG_HD502HJ 1AJ10001 Size: 476940MB BusType: 3
17:47:45.794    Disk 0 MBR read successfully
17:47:45.794    Disk 0 MBR scan
17:47:45.794    Disk 0 Windows 7 default MBR code
17:47:45.804    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
17:47:45.814    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       406838 MB offset 206848
17:47:45.824    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        70000 MB offset 833411072
17:47:45.844    Disk 0 scanning C:\Windows\system32\drivers
17:47:52.524    Service scanning
17:48:12.054    Modules scanning
17:48:12.064    Disk 0 trace - called modules:
17:48:12.094    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80039a72c0]<<sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
17:48:12.104    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a3f060]
17:48:12.104    3 CLASSPNP.SYS[fffff880013cf43f] -> nt!IofCallDriver -> [0xfffffa80047e0c60]
17:48:12.114    5 ACPI.sys[fffff8800118f781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80047d8060]
17:48:12.124    \Driver\atapi[0xfffffa80047b7d80] -> IRP_MJ_CREATE -> 0xfffffa80039a72c0
17:48:12.524    AVAST engine scan C:\Windows
17:48:13.634    AVAST engine scan C:\Windows\system32
17:51:27.404    AVAST engine scan C:\Windows\system32\drivers
17:51:35.344    AVAST engine scan C:\Users\Fenris
17:54:38.394    File: C:\Users\Fenris\AppData\Local\Temp\Vea+P99i.exe.part  **INFECTED** Win32:Malware-gen
17:55:48.448    AVAST engine scan C:\ProgramData
17:56:31.373    Scan finished successfully
17:57:34.579    Disk 0 MBR has been saved successfully to "C:\Users\Fenris\Desktop\MBR.dat"
17:57:34.589    The log file has been saved successfully to "C:\Users\Fenris\Desktop\aswMBR.txt"

Title: Re: Hidden service found [aswMBR]
Post by: magna86 on August 08, 2013, 05:07:07 PM

Hi,
aswMBR is AntiRootkit, not bad from time to scan & inspect the system with it if you like but keep in mind that this is just antirootkit scanner not an ordinary scanner.

17:54:38.394    File: C:\Users\Fenris\AppData\Local\Temp\Vea+P99i.exe.part  **INFECTED** Win32:Malware-gen

This is caught with avast heuristics engine. Unfinished part of something, maybe download.


Let's check system:



Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  

Title: Re: Hidden service found [aswMBR]
Post by: malik99 on August 08, 2013, 05:42:37 PM

cant  post it its to large

Title: Re: Hidden service found [aswMBR]
Post by: magna86 on August 08, 2013, 06:02:47 PM

Hi,

You really need to learn what and how you install. You have a lot of sorts of crap on your system.

First ...

Start > Control Panel > Programs and Features

Uninstall following:

Ask Toolbar (x32 Version: 1.15.25.0)
Ask Toolbar Updater (HKCU Version: 1.2.6.44892)
DefaultTab (x32 Version: 2.2.8.0)
mHotspot version 6.3.4.5 (x32 Version: 6.3.4.5)


Reboot your computer.



Next ...





1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

START
C:\Users\Fenris\AppData\Roaming\DefaultTab
C:\Program Files (x86)\Ask.com
MountPoints2: F - F:\autorun.exe
MountPoints2: {795575d9-ea21-11e2-91d8-002522abef77} - G:\HTC_Sync_Manager_PC.exe
MountPoints2: {c27d7b40-db7b-11e2-9c86-806e6f6e6963} - F:\autorun.exe
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1648264 2013-04-25] (Ask)
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mhotspot.com/search.html
SearchScopes: HKCU - {A0281FB0-9D98-47B8-8A73-9EA38D39DF4D} URL = http://www.mysearchresults.com/search?c=2402&t=15&q={searchTerms}
BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll No File
BHO-x32: DefaultTab Browser Helper - {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Users\Fenris\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll (Search Results LLC.)
BHO-x32: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKLM-x32 - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
FF user.js: detected! => C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\user.js
FF SelectedSearchEngine: WebSearch
FF Keyword.URL: hxxp://websearch.resulthunters.info/?unqvl=21&l=1&q=
FF SearchPlugin: C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\searchplugins\WebSearch.xml
C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\searchplugins\WebSearch.xml
FF Extension: Ask Toolbar - C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\toolbar@ask.com
C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\toolbar@ask.com
FF Extension: addon - C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\addon@defaulttab.com.xpi
C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\addon@defaulttab.com.xpi
FF Extension: No Name - C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\{10d0b221-588a-4920-9d9f-1f6929149755}.xpi
FF Extension: No Name - C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}.xpi
C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\{10d0b221-588a-4920-9d9f-1f6929149755}.xpi
C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}.xpi
CHR Extension: (Ask Toolbar) - C:\Users\Fenris\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaapnjeoabhkpdiinmomghdncekhiib\7.15.25.54978_0
C:\Users\Fenris\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaapnjeoabhkpdiinmomghdncekhiib
CHR HKLM-x32\...\Chrome\Extension: [aaaapnjeoabhkpdiinmomghdncekhiib] - C:\Users\Fenris\AppData\Local\APN\GoogleCRXs\aaaapnjeoabhkpdiinmomghdncekhiib_7.15.25.0.crx
C:\Users\Fenris\AppData\Local\APN\GoogleCRXs\aaaapnjeoabhkpdiinmomghdncekhiib_7.15.25.0.crx
CHR HKLM-x32\...\Chrome\Extension: [kdidombaedgpfiiedeimiebkmbilgmlc] - C:\Program Files (x86)\DefaultTab\DefaultTab.crx
C:\Program Files (x86)\DefaultTab
S2 DefaultTabSearch; C:\Program Files (x86)\DefaultTab\DefaultTabSearch.exe [572928 2013-02-11] ()
R2 DefaultTabUpdate; C:\Users\Fenris\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe [107520 2013-06-21] ()
C:\Users\Fenris\AppData\Roaming\DefaultTab
CMD: ipconfig /flushdns
END

2. Save notepad as fixlist.txt
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.




Next ...

Re-check:





Please download zoek.exe (http://home.kpn.nl/stefsmeenk/zoek.exe/) and save it to your desktop.

• Close any open browsers.
•   Temporarily disable your AntiVirus program. (If necessary)
  If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
  
  
  
  
• Double click on zoek.exe to run the tool .
  Please wait while the tool does not start...
  
  
  
• Copy the text present inside the code box below and paste it into the large window in the zoek tool:

Code: [Select]


installedprogs;
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;



• Click on (http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png) button
  Please wait until a logreport will open (this can be after reboot)
  
  
• Save notepad to your Desktop and attach here zoek-results.log
  
  Note: It will also create a log in the C:\ directory named "zoek-results.log"
  
  
  

Title: Re: Hidden service found [aswMBR]
Post by: malik99 on August 08, 2013, 06:20:03 PM

mHotspot version 6.3.4.5 (x32 Version: 6.3.4.5)

this is a tool that allows me to use my wireless adaptor as wifi router(send internet connection to my phone)

Title: Re: Hidden service found [aswMBR]
Post by: magna86 on August 08, 2013, 06:58:43 PM

Ok, then you instead of above script you will run this FRSTScript. ZOEKScript does remains the same.

Code: [Select]

START
C:\Users\Fenris\AppData\Roaming\DefaultTab
C:\Program Files (x86)\Ask.com
MountPoints2: F - F:\autorun.exe
MountPoints2: {795575d9-ea21-11e2-91d8-002522abef77} - G:\HTC_Sync_Manager_PC.exe
MountPoints2: {c27d7b40-db7b-11e2-9c86-806e6f6e6963} - F:\autorun.exe
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1648264 2013-04-25] (Ask)
SearchScopes: HKCU - {A0281FB0-9D98-47B8-8A73-9EA38D39DF4D} URL = http://www.mysearchresults.com/search?c=2402&t=15&q={searchTerms}
BHO-x32: DefaultTab Browser Helper - {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Users\Fenris\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll (Search Results LLC.)
BHO-x32: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKLM-x32 - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
FF user.js: detected! => C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\user.js
FF SelectedSearchEngine: WebSearch
FF Keyword.URL: hxxp://websearch.resulthunters.info/?unqvl=21&l=1&q=
FF SearchPlugin: C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\searchplugins\WebSearch.xml
C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\searchplugins\WebSearch.xml
FF Extension: Ask Toolbar - C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\toolbar@ask.com
C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\toolbar@ask.com
FF Extension: addon - C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\addon@defaulttab.com.xpi
C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\addon@defaulttab.com.xpi
FF Extension: No Name - C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\{10d0b221-588a-4920-9d9f-1f6929149755}.xpi
FF Extension: No Name - C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}.xpi
C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\{10d0b221-588a-4920-9d9f-1f6929149755}.xpi
C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}.xpi
CHR Extension: (Ask Toolbar) - C:\Users\Fenris\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaapnjeoabhkpdiinmomghdncekhiib\7.15.25.54978_0
C:\Users\Fenris\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaapnjeoabhkpdiinmomghdncekhiib
CHR HKLM-x32\...\Chrome\Extension: [aaaapnjeoabhkpdiinmomghdncekhiib] - C:\Users\Fenris\AppData\Local\APN\GoogleCRXs\aaaapnjeoabhkpdiinmomghdncekhiib_7.15.25.0.crx
C:\Users\Fenris\AppData\Local\APN\GoogleCRXs\aaaapnjeoabhkpdiinmomghdncekhiib_7.15.25.0.crx
CHR HKLM-x32\...\Chrome\Extension: [kdidombaedgpfiiedeimiebkmbilgmlc] - C:\Program Files (x86)\DefaultTab\DefaultTab.crx
C:\Program Files (x86)\DefaultTab
S2 DefaultTabSearch; C:\Program Files (x86)\DefaultTab\DefaultTabSearch.exe [572928 2013-02-11] ()
R2 DefaultTabUpdate; C:\Users\Fenris\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe [107520 2013-06-21] ()
C:\Users\Fenris\AppData\Roaming\DefaultTab
CMD: ipconfig /flushdns
END

Title: Re: Hidden service found [aswMBR]
Post by: magna86 on August 09, 2013, 05:25:32 PM

bump!

Are you still with us?