Author Topic: Virus Problem (Read 12401 times)

Chris Weimer · « **on:** June 17, 2010, 09:01:47 PM »

Running Windows Vista Home Premium Service Pack 2 with Avast 5.0.545. In the past couple days I had been getting quite a few virus alerts. I figured Avast was doing its job since it was catching them, but they were frequent and often I was doing nothing more than browsing the internet (just got another one now).

Today I decided to do a full virus scan, but I got the blue screen of death before it could be completed. I decided to do a boot-time scan. Out of the half a dozen files that were said to be infected (a couple Trojans on java class files and some malware), one was unknown, came up as an 0x error message, although I don't know now where the boot-time results are on my computer. :/

I continue now to get blue screens of death, although I'm not sure why, and I am continually getting alerts for threat detection for a "svchost.exe" in the Temp folder.

The viruses found during the boot-kit scan were seekservice.dll, ic2sts[1].exe (which it couldn't delete because it's "not found"), and three Java djewers trojans. I have a bunch more in my virus chest, most of which came about in the past 2 days, and an especially large number last night and this morning.

Anyone have any idea what's wrong, why I keep getting blue screen of death, and how I can get rid of this virus infection?

Pondus · « **Reply #1 on:** June 17, 2010, 09:11:36 PM »

check your computer for malware with

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
after install click update so you have latest database before scan
run quick scan and click on the remove selected button to quarantine anything found
post the scan log here

Chris Weimer · « **Reply #2 on:** June 17, 2010, 09:32:58 PM »

Thanks, I did.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4210

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

6/17/2010 3:28:35 PM
mbam-log-2010-06-17 (15-28-35).txt

Scan type: Quick scan
Objects scanned: 133118
Time elapsed: 8 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Chris\AppData\Local\Temp\trc3ns.exe (Virus.Agent) -> No action taken.
C:\Windows\Temp\nsvC0A1.tmp\uninstall.exe (Adware.Agent) -> No action taken.

(strange, it said my IP address just posted something 20 seconds ago, but I hadn't posted anything!)

Chris Weimer · « **Reply #3 on:** June 17, 2010, 09:36:20 PM »

BTW, all the svchost.exe's that are cropping up are coming up in Avast as C:\Windows\Temp\dtjl.tmp\svchost.exe Win32:MalOb-BK[Cryp].

Pondus · « **Reply #4 on:** June 17, 2010, 09:44:27 PM »

your log say ( No Action Taken ) you did not remove the infection with MBAM.....
you have to click the remove selected button to do that

Chris Weimer · « **Reply #5 on:** June 17, 2010, 10:14:57 PM »

OK, I did that, rebooted to finalize. Got blue screen of death again. And another alert by Avast...

YoKenny · « **Reply #6 on:** June 17, 2010, 10:18:16 PM »

Get ATF-Cleaner to clean out Temp Folders:
http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25

CCleaner is also good at cleaning out Temp Folders but do not install its pre-selected Yahoo toolbar:
CCleaner - Slim
Installer, no toolbar
http://www.piriform.com/ccleaner/builds

Pondus · « **Reply #7 on:** June 17, 2010, 10:21:03 PM »

Follow this guide from Essexboy and post the log`s here as attacments
http://forum.avast.com/index.php?topic=53253.0

see down left corner: additional options > attach

Chris Weimer · « **Reply #8 on:** June 17, 2010, 11:54:50 PM »

OK. I did a scan with MalwareBytes first, removed the infected, then tried to do a scan with OTL but I kept getting the blue screen of death. So I entered into safe mode and then ran OTL. Then I did MalwareBytes one more time, and I came up empty. So I came to upload them post here, and again I got a threat detection by Avast. Same thing -

Object: C:\Windows\Temp\lxxu.tmp\svchost.exe
Infection: Win32:MalOb-BK[Cryp]
Action: Moved to chest
Process: C:\Windows\System32\svchost.exe

There's something there still. Is it possible that there's a virus-making file somewhere that isn't actually triggering the antivirus but is instead making other files that are doing the triggering? And why am I still getting blue screened?

Pondus · « **Reply #9 on:** June 18, 2010, 12:04:02 AM »

Quote

There's something there still. Is it possible that there's a virus-making file somewhere that isn't actually triggering the antivirus but is instead making other files that are doing the triggering? And why am I still getting blue screened?

jepp, and if so Essexboy will find it

you may not see him untill late UK time tomorrow, it is just midnight here now

Chris Weimer · « **Reply #10 on:** June 18, 2010, 12:07:18 AM »

New lead: it's affecting Firefox (pop-up ads) and apparently disabled Google Chrome from accessing the internet (but not Opera).

Jtaylor83 · « **Reply #11 on:** June 18, 2010, 01:33:22 AM »

Hi, there. I think there maybe a rootkit somewhere.

Time to use GMER.

GMER Rootkit Scanner - Download - Homepage

* Download GMER
* Extract the contents of the zipped file to desktop.
* Double click GMER.exe.

* If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
* In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
o IAT/EAT
o Drives/Partition other than Systemdrive (typically C:\)
o Show All (don't miss this one)

* Then click the Scan button & wait for it to finish.
* Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
* Save the log where you can easily find it, such as your desktop.

**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

Chris Weimer · « **Reply #12 on:** June 18, 2010, 02:58:33 AM »

I tried GMER, I got the blue screen of death every time I tried using it, including when I was in safe mode.

Jtaylor83 · « **Reply #13 on:** June 18, 2010, 03:53:09 AM »

The Zeus/Zbot infection maybe still there. Since Zeus/Zbot steals your passwords, personal information, banking, etc, you may want to start changing passwords, check your bank account, and report identity fraud.

How to report ID theft, fraud, drive-by installs, hijacking and malware?

So we're going to use ComboFix. Remember to rename ComboFix before you save it onto the desktop.

Chris Weimer · « **Reply #14 on:** June 18, 2010, 04:34:46 AM »

Good so far, but then I got to a point where I'm logged in, Combofix is running but not doing anything, and PEV.cfxxe is requesting permission to access my computer. Is this normal? Allow or cancel?

Author Topic: Virus Problem (Read 12401 times)

Chris Weimer

Virus Problem

Pondus

Re: Virus Problem

Chris Weimer

Re: Virus Problem

Chris Weimer

Re: Virus Problem

Pondus

Re: Virus Problem

Chris Weimer

Re: Virus Problem

YoKenny

Re: Virus Problem

Pondus

Re: Virus Problem

Chris Weimer

Re: Virus Problem

Pondus

Re: Virus Problem

Chris Weimer

Re: Virus Problem

Jtaylor83

Re: Virus Problem

Chris Weimer

Re: Virus Problem

Jtaylor83

Re: Virus Problem

Chris Weimer

Re: Virus Problem