Avast WEBforum
Other => Viruses and worms => Topic started by: dasva on February 26, 2012, 10:33:09 PM
-
So basically each time I run various anti whatever programs it will seem to fix it but eventually all my searches will start getting Hijacked. So I got avast free and did a full scan and after that I started having various things blocked by network shield. The objects were always different but the process would always be globalroot\systemroot\svchost.exe. And my searches still get hijacked. So ran a full bootup scan and eventually got that finished as well as MBAM and it had me restart too and still have the problem so creating new topic like the logs to assist thread says.
-
do you have more logs ?..... malwarebytes / aswMBR
-
I see you are running AVG and avast
running multiple AV will create all kind of windows errors and false positive detections...so you have to uninstall one
it is also recomended to run a removal tool so all leftover file(s) that can conflict is gone
run and reboot - Uninstallers – Security Software
http://singularlabs.com/uninstallers/security-software/
-
Ta Pondus ;D
I will need to see the aswMBR log please so that I can deterrmine the variant
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-3799292957-1194181936-1802369922-1000\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
:Files
ipconfig /flushdns /c
C:\Program Files (x86)\Search Toolbar
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
aswMBR log
-
Ah which do I do or all that stuff?
-
Run the OTL fix please and then
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Ok did all that and combofix started preparing a log on startup... and it's just been like that for about 20 minutes now.
Also just got the same avast warning.
-
Oh guess I just didn't wait long enough...
And yes still getting alot of alerts about globalroot\systemroot\svchost.exe. And thanks for all the help so far.
Also might add one of my processes is taking up pretty much more memory than everything else combine if I look on task manager. It's the only svchost.exe*32 currently up the description is winscrmde and it's taking up ~1,500,000k.
Also reruning some of these programs turns up new stuff
-
Something new here
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
:regfind
winscrmde
WS2IFSL- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
-
System look
Edit: Haven't had any alerts from avast for awhile now and so far none of my searches have been hijacked... most recent scans turn up nothing. But not sure what's changed since it still was right after last fix. Also that one process is still really big
-
as a side note for essexboy i found a threatexpert report related to what he is investigating[may not be accurate report though] may be this may help essexboy:
http://www.threatexpert.com/files/ws2ifsl.exe.html
-
OK that is the legitmate sys file ;D
If all is well tomorrow let me know and I will tidy up
-
Still getting the same network shield alerts but they are to be less frequent Only know they happening because I check the log.
Any reason why that one process sometimes runs so much memory? I mean it litterally is more than everything else combine. Granted I wasn't running much but that is a serious chunk my memory. It's been doing that for awhile sometimes. Lags me down tons and sometimes actually makes me run out of memory.
Edit: Guess said that too soon. Alot more alerts now
-
WS2IFSL.sys is the "Winsock IFS Driver" and is used for non standard ISP type connections
Is this the one taking all your memory up ?
OK lets do a deep analysis - this programme will produce a zip file for me to look at.. Could you upload it to mediafire and post the sharing link
Download AVPTool from Here (http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/) to your desktop
Run the programme you have just downloaded to your desktop (it will be randomly named )
First we will run a virus scan
Click the cog in the upper right
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPfront.gif)
Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpsettings.gif)
Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post
Now the Analysis
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPAnalysis.gif)
On completion click the link to locate the zip file to upload and attach to your next post
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPZiplocation.gif)
-
Not sure how to check that WS2IFSl.sys thing. Don't seen it on tastk manager.
Sorry scan took so long but it was a long scan and computer accidentally got bumped half way thru first one then it told me to restart after second scan. As such I think the saved doesn't have all the viruses on it. Also to note I can't seem to even get to the location where any of these files are. Basically there is no appdata folder under my user folder...
Anyways sysinfo stuff
http://www.mediafire.com/?6ivpvog69qf3por
-
3/1/2012 9:44:41 AM Disinfected Trojan program Rootkit.Boot.Pihar.b \Device\Harddisk0\DR0 High
Ok that appears to have been the problem
AVG is still showing a bunch of drivers
How is the computer now ?
-
I don't think I've gotten another alert since the last scan finished. No more svchost.exe*32s running right now even though I have all the same programs I normally have up and lag as been normalish. Looks like last one did it.
Yeah the first scan or 2 had alot of stuff in avg. I want to say a total of 60-70 threats. Which was almost all of them.
Thanks for all the help. And that last scanner is a beast. Found so much the others didn't. Too bad it takes forever
-
If all is well tomorrow let me know and I will remove my tools
-
Yep that did it thanks again
-
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Remove ComboFix
- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:
- Go to this site (http://java.com/en/) and click Do I have Java
- It will check your current version and then offer to update to the latest version
SPRING CLEAN
To manually create a new Restore Point
- Go to Control Panel and select System
- Select System
- On the left select System Protection and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- GoStart > All programs > Accessories > system tools
- Right click Disc cleanup and select run as administrator
- Select Your main drive and accept the warning if you get one
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
- Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave:
-
Before I get started with all that I have some questions.
Why remove all the tools? A couple of them seem kinda useful.
Why are we making sure hidden files stay hidden? On that note I actually don't see a tools menu to click. Though I can get to something that ends up going to an option to do that under organize.
And yeah I was keeping my avg running and updated but apparently it seems it itself was infected so I switched to avast. That should work fine right?
-
The 'tools' OTL, combofix are constantly updated, so before using them (under supervision) if problems occur you want the latest version.
In My Computer window there is a Menu along the top, one of the options is Tools, that's the one, clicking that gives the other options, Folder Options, etc. (see image, whilst this is on my XP system it should be similar). Keeping those system files/folders hidden avoids accidental deletion, etc.
You have to remove AVG you can't keep two resident antivirus applications installed (even if you disable one) as the low level drivers can conflict, which could leave you more vulnerable.
-
What David said ;D
Malware tools are updated very regularly as they are targeted by malware, so we need to keep one step ahead