Avast WEBforum
Other => Viruses and worms => Topic started by: youngsta on July 30, 2011, 02:45:33 PM
-
Hi I'm really hoping to get some help on this. Firstly I'd just like to say that i haven't really been getting many problems ie. pop ups or excessive CPU or ram usage, the one problem that has bought me to this point is i keep getting incoming requests in comodo (which I've blocked) for svchost.exe, sometimes up to a thousand a day. Anyway I've scanned with avast at boot and normal nothing found, I've scanned with malwarebytes and superantispyware nothing found, i did a scan with TDSSKiller and it found "Trojan-Clicker.Win32.Wistler.a" but stated it could not fix it then ran MBRCheck and it found "Known-Bad MBR Code Detected Whistler / Black Internet" chose to rewrite MBR chose number 1 Windows XP it said done reboot so i rebooted ran it again and it was still there! I really don't know what to do what is this? and how do i get rid? Thank you very much if you can help.
-
Hi youngsta,
Download aswMBR.exe from here http://public.avast.com/~gmerek/aswMBR.htm
1)Double click the aswMBR.exe to run it
2)Click the [Scan] button to start scan
3)On completion of the scan click [Save log], save it to your desktop and post in your next reply
-
Thanks, do i need to disable antivirus or anything?
-
No just run it from windows normal mode.
-
Here is the scan it looks like it only scanned 1 HDD, i probably should have mentioned i have 1 internal HDD with OS on then i have a 500GB external and a 1TB external the code was found on Disk 2 which is the 500GB.
aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-07-30 14:36:01
-----------------------------
14:36:01.703 OS Version: Windows 5.1.2600 Service Pack 3
14:36:01.703 Number of processors: 2 586 0x403
14:36:01.703 ComputerName: WORKGROUP-FFDC5F UserName: Youngie
14:36:03.078 Initialize success
14:36:03.390 AVAST engine defs: 11073000
14:36:10.703 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
14:36:10.703 Disk 0 Vendor: Maxtor_6L160M0 BANC1G10 Size: 152587MB BusType: 3
14:36:12.734 Disk 0 MBR read successfully
14:36:12.734 Disk 0 MBR scan
14:36:12.734 Disk 0 Windows XP default MBR code
14:36:12.734 Disk 0 scanning sectors +312496380
14:36:12.843 Disk 0 scanning C:\WINDOWS\system32\drivers
14:36:20.093 Service scanning
14:36:21.421 Modules scanning
14:36:26.125 Disk 0 trace - called modules:
14:36:26.156 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
14:36:26.156 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aabfab8]
14:36:26.171 3 CLASSPNP.SYS[f74c7fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x8aab7d98]
14:36:26.671 AVAST engine scan C:\WINDOWS
14:36:30.500 AVAST engine scan C:\WINDOWS\system32
14:37:56.718 AVAST engine scan C:\WINDOWS\system32\drivers
14:38:07.625 AVAST engine scan C:\Documents and Settings\Youngie
14:50:17.390 AVAST engine scan C:\Documents and Settings\All Users
14:50:55.187 Scan finished successfully
14:53:43.312 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Youngie\Desktop\MBR.dat"
14:53:43.328 The log file has been saved successfully to "C:\Documents and Settings\Youngie\Desktop\aswMBR.txt"
-
Here is the MBRCheck log.
-
Are these tdsskiler and mbrcheck logs you have attached the ones you ran before aswmbr or after the aswmbr scan ?
Strange that MBRCheck and TDSSKiller would say they had found Whistler yet aswMBR shows that it finds the default mbr code.
14:36:12.734 Disk 0 Windows XP default MBR code
Which I would guess if you had run MBRcheck and chose to rewrite MBR chose number 1 Windows, that would be right (???)
Did you have these external drives attached when you ran aswMBR, or it wouldn't see anything on those ?
These external drives surely aren't bootable are they ?
Or there would have to be a custom/modified MBR for a dual boot.
-
I ran the MBRCheck and TDSSKiller before i scanned with aswMBR.
Disk 0 is OS internal, Disk 1 is external, Disk 2 is external.
aswMBR says Disk 0 Windows XP default MBR code.
MBRCheck says PhysicalDrive2 RE: Known-bad MBR code detected (Whistler / Black Internet)!.
The dodgy code was found on Disk 2.
Yes i did have these drives attached when i ran aswMBR.
I bought the external drive new it has never had an operating system on it.
I am a bit stumped myself as to why it is only on 1 of my external HDD's not on the other or my boot drive??? I know nothing about this type of thing.
Thanks for your help.
-
I just wonder why aswmbr doesn't find these other disks (perhaps it doesn't consider external drives).
Then I have to wonder why these two disks have an MBR file since they aren't bootable ?
So I think it will require someone with more experience than I to look into this.
-
Both aswMBR and TDSSKiller only determine that bootable drives warrant repair, ensure all drives are connected
Run MBRCheck.exe once again.
You will be presented with the following dialog:
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Enter Y and press Enter.
The following dialog will be presented:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
Enter your choice:
Enter 2 and press Enter
The following dialog will be presented:
Enter the physical disk number to fix (0-99, -1 to cancel):
Enter >>2<< and press Enter
The following dialog will be presented:
Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel
Please select the MBR code to write to this drive:
Enter >>1<< and press Enter
The following dialog will be presented:
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue:
Type YES and press Enter (Must type the full word, YES). You will be inform if successfully wrote a new MBR code!
And last the following dialog will be presented:
Done! Press ENTER to exit...
Press Enter. A report will be produced on the desktop. Post that report in your next reply.
-
Thanks essexboy for joining the topic and the info on aswMBR and TDSSKiller only considering bootable drives warrant repair.
-
Hey thanks for your help, that's what i did the last time tho.
edit: Wasn't trying to be smart just stating that's what i did before :)
-
Also do you think svchost.exe is related to this? I've just checked comodo and it says "Firewall has blocked 203 intrusions so far" since 2:50 this morning. Why would svchost.exe be trying to receive incoming connections?
-
Unless drive 2 is active then it would not cause the alerts, they are probably related to something else - what do you use drive 2 for ?
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is too large to attach then upload to Mediafire (http://www.mediafire.com/) and post the sharing link.
Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop
- Close ALL OTHER PROGRAMS.
- Double-click on OTS.exe to start the program.
- Check the box that says Scan All Users
- Under Additional Scans check the following:
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
- Under the Custom Scan box paste this in
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
CREATERESTOREPOINT
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.
-
Sorry to ask again but do i need to disable antivirus? avast is telling me to open in sandbox is this normal?
-
Do not let Avast sandbox it, it needs to run normally
Avast does not need to be disabled as this is just analysis
-
Thanks for your help i really appreciate it. The HDD in question is only used for storage, mostly music, videos and backups. Is it right that as it has never been used to boot it shouldn't have an MBR?
-
Did you install this ?
C:\Program Files\Winnydows
No apparent malware is visible, it may be well worth emptying the backup disc with the MBR anomoly and doing a full reformat on it
-
Did you install this ?
C:\Program Files\Winnydows
I did it was XVID4PSP which i uninstalled, just deleted the empty folder.
Is there no way to get rid of it? I don't have the space to move all my files off the drive until i can get a new one, also i use this pc for online banking so basically i will not be able to trust my pc to do anything.
And i really do appreciate your help, thanks.
-
Given what essexboy said to stop all programs then perhaps yes disable the anti-virus. However if you still get the autosandbox alert in that window just select run normally.
See image example.
-
I can remove that folder for you- and to give you peace of mind I will run one additional tool
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls]
[Files/Folders - Created Within 30 Days]
NY -> Winnydows -> C:\Program Files\Winnydows
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
This is no sign of malfunction, do not panic!
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://"http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216")
- Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
(http://img.photobucket.com/albums/v706/ried7/RC1.png)
- Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://img.photobucket.com/albums/v706/ried7/RC2-1.png)
- Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Here is the log. I don't know if this is related but i came back to my pc today and websites were informing me that i didn't have flash installed, but i know for a fact i did so i went into add/remove programs and they weren't there. They just uninstalled themselves so i went to the adobe site and downloaded flash again and i got a file that said the company name was "Solid State Networks". Anyway i've started a thread at adobe forums for that. Running combofix now. Thanks.
All Processes Killed
[Files/Folders - Created Within 30 Days]
C:\Program Files\Winnydows folder moved successfully.
[Empty Temp Folders]
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56502 bytes
User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: Youngie
->Temp folder emptied: 33593144 bytes
->Temporary Internet Files folder emptied: 1048978 bytes
->Java cache emptied: 190334 bytes
->FireFox cache emptied: 55436231 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1717 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 26129 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 20297 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 89.00 mb
[EMPTYFLASH]
User: All Users
User: Default User
->Flash cache emptied: 0 bytes
User: LocalService
User: NetworkService
User: Youngie
->Flash cache emptied: 0 bytes
Total Flash Files Cleaned = 0.00 mb
Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 07312011_141044
Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\_avast_\Webshlock.txt not found!
Registry entries deleted on Reboot...
-
Not overly impressed with that company http://www.solidstatenetworks.com/index.php/products/
-
Me neither never even heard of them, do you think this looks dodgy? And that flash has seemed to have uninstalled itself?
(http://i51.tinypic.com/28bsehe.jpg)
Here is combofix log when i ran it it said there was an update for combofix and shall i update, i said no cos i wasn't sure, and i can't remember exactly what it said but it was something like i have an alternative version of the recovery console that might need updating.
-
Do you play online games ?
Could you re-run combofix and allow it to update please
-
Next combofix log. I don't play any online games my brother plays facebook games sometimes but not for a while, that file i got from get.adobe.com/flashplayer.
-
It appears to be related in some way to MP3 files used in online gaming - as to why I am not sure, but if it was installed via the adobe site then it should be legit... What are your current problems ?
-
Like i said in my first post i haven't really been having any problems that i can speak of apart from svchost.exe trying to recieve incoming connections about 5 times a minute is my main one and all the searching i've done hasn't been able to explain why. I guess i will just keep it unplugged til i can get a new one if you really think i have nothing to worry about?
And thanks alot for your help it really is appreciated. Cheers.
-
I can see no apparent malware, does the alert state what file is using svchost ?
-
No i got an alert from comodo that svchost.exe was trying to recieve a connection from the internet so i blocked it, now when i go into comodo and look at the logs it's just got svchost.exe listed as a blocked event from 100 to 1000 a day. Outgoing i could understand but i could not find any answers as to why it would be incoming so i blocked it. I think i'm just being paranoid cos i uploaded the file to virustotal and it was clean but better to be safe and all that.
-
So it is incoming - that is totally illogical ???
-
I think the source is my default gateway and the destination is my pc whatever that means.
Edit: 16382 times in the last month sometimes UDP sometimes TCP, same destination port the source port is tried 7 times then moves up 1, always same IP.
(http://i52.tinypic.com/1zqcas9.jpg)
-
Can i just ask as well what does "detected NTDLL code modification" "ZwClose" mean? Thanks.
-
To me like essexboy, that doesn't make sense either, as this is giving svchost.exe as the application but the blocking as inbound. Masking the destination IP, etc. doesn't aid investigation.
Generally this inbound connection would have an associated outbound connection for any inbound connection to be for a local file.
So I think filtering this on only inbound/blocked connections may be giving a misleading impression.
-
What should i change the policy to?
-
I don't think it is a case of changing policy, but seeing all results and not just those blocked.
Virtually all outbound connections will have an associated inbound connection, so to make sense of this, there should be an outbound connection from svchost.exe at very close to the same time.
By looking at the associated outbound connection can you get an idea of what is going on. The svchost.exe file has legit reasons for making an outbound connection and the more most common is connecting to windows update.
I don't use comodo, so I can't help with its settings.
-
I've set it to allow and log outgoing. It is connecting to the IP address of my dns server and 1 to 255.255.255.255 from the IP address of my PC, on the incoming the source is the IP of my default gateway and the destination is the IP address of my PC. I really, really don't understand what any of this means it's just from looking at the comodo log and the support tab of the LAN Status in sys tray. So do you think i should just unblock it?
-
As I said I'm really not familiar with comodo and I don't know why you chosen those settings.
My firewall Outpost Firewall Pro, I have virtually left it on default settings other than it runs a rules wizard and that would ask me about outbound connections where the application isn't white listed, etc. I certainly wouldn't set it to allow and log outbound connections as that essentially would let anything out, good or bad.
No I don't know if that is what you meant or not, but my advice would be don't set rules that you don't know what the expected results are going to be. For the most part firewalls do reasonably well on their default settings. Though comodo if/when combined with defence+ might be a bit noisy (constantly asking questions about processes/connections).
So I only hope there is a comodo user than can give you some guidance on this.
-
So you are telling me that i should allow incoming connections to my computer when i don't know what they are?
-
The source gateway on that mask will be your router - reset Comodo to it's default settings ( I have never used it so I do not know what they are)
-
I set svchost.exe to allow and log so i could see where it was going else it would be listed as a windows system application i didn't just allow all outbound connections and i don't just set random rules just for the hell of it. It asked for an incoming connection and as i didn't know why i blocked it, if you are telling me that i should have just allowed it then i don't think you should be giving advice out on this forum.
essexboy thank you very, very much for your help, much appreciated.
-
We really need someone who knows the comodo firewall - I have just checked my AIS settings and svchost is under system
I have just revisited the CF log as it shows open ports and all I found was this one legitimate item
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
It is a legitimate windows process however, it can be disabled http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/hnw_icmp_disable.mspx?mfr=true