Author Topic: hidden virus deactivating my windows firewall?  (Read 9729 times)

0 Members and 1 Guest are viewing this topic.

chi-saki

  • Guest
hidden virus deactivating my windows firewall?
« on: July 06, 2010, 12:07:44 PM »
Hi.
So I made a some of careless mistakes in handling some virus' and now i'm not sure wether I'm still infected or not because my comp is acting suspicious.

It started  yesterday, my friend sent me a virus link via facebook without knowing. It automatically "like"ed websites i didn't. i googled it and found out it was a virus. So, I ran my free Avast and it showed nothing, so i didn't think too much about it, but changed all my passwords just in case.
 Fast-forward to today; going to my normal sites, suddenly utorrent pops open and tells me i want to download torrent file "like.php" and i was all ?!? cause i always deactivate utorrent when I'm not using it. Of course, I refused the download and shut utorrent back off and ran avast right away. It now came up with 5 virus' but they could not be put into my virus chest, so i deleted them. I ran nother virus scan and nothing came up. I decided to look in my virus chest again and behold, a new trojan that I had never added(windows/32 somthing or rather), and the date was all wierd so... I deleted it (totally realizes now that that was probably a big mistake--;). Run a few more scans, nothing pops up.
 About an hour later, my windows firewall turns itself off, so i deciced to dl and run malwarebites. It finds 5 things and fixes them or so i assume. It restarts my computer and thinking I'm cured, I uninstalled it and deleted the info it gave me.  :'( Now, my windows firewall deactivated every 40-50 minutes and idk why. Since then, I looked everywhere, ran avast multipul times, re-dl malwarebytes and ran more scans and nada, registry mechanic ect. Dont have any 3rd party firewalls.

Other than what I have mentioned in the above, I have not changed any settings or dl-ed anything new.
My  system is Microsoft Windows XP Media Center Edition 2002 service pack 3. My pc is Hewlett-Packard Company Hp Pavilion Intel(R) Pentium(r) D CPU 3.00GHz 3.00GHz 2.00GB of RAM .   Idk if that helps, but just in case...
I'm not really tech savy, so if this is a stupid problem, or if I cause this problem myself, I am sorry :-[ Sorry for it being so long, and Thank You for reading this, I hope someone can help me. Thanks Again.

Offline Asyn

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: hidden virus deactivating my windows firewall?
« Reply #1 on: July 06, 2010, 12:21:16 PM »
Run a boot time scan with avast.
Run Mbam again (update the definitions before) and post your logs here.
asyn
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

chi-saki

  • Guest
Re: hidden virus deactivating my windows firewall?
« Reply #2 on: July 07, 2010, 02:06:00 AM »
Okay,
this is the log from just now



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4284

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

06/07/2010 4:21:00 PM
mbam-log-2010-07-06 (16-21-00).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 319734
Time elapsed: 1 hour(s), 27 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



--------------------------------------------------------------
And this was the log I thought I had previously deleted if it matters



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4281

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

05/07/2010 8:15:07 PM
mbam-log-2010-07-05 (20-15-07).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 317796
Time elapsed: 1 hour(s), 53 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\0.26331626412650555.gif (Extension.Mismatch) -> Quarantined and deleted successfully.


---------------------------------------------------



Avastboot picked up one thing   


*RAW:C:\hp\bin\KillIt.exe                  PUP:Win32:KillApp-W[PUP]          the severity was low



------------------------------------------------------


And i found the logs to the viruses I deleted
 

321306156.exe  Win32: Malware-gen
321306406.exe  Win32: Malware-gen
321306562.exe  Win32: Malware-gen
321307000.exe  Win32: Malware-gen
loader.exe Win32:Cycler-I [Trj]
smss.exe Win32:Cycler-I [Trj]

+4 more Win32: Malware-gen but appear to just be java updates.


I also timed the firewall shutdowns, and it turns off every 70 minutes or so

ThankYou

Jtaylor83

  • Guest
Re: hidden virus deactivating my windows firewall?
« Reply #3 on: July 07, 2010, 04:13:38 AM »
There maybe a sign of a bootkit.

Please download Bootkit Remover from esage lab to your Desktop.

This is a rar file. If you don't have an extraction program to open it, use 7-Zip or Peazip.

* Extract Remover to your desktop
* Right click Remover and select Run as Administrator
* It will show a Black screen with some data on it
* Right click on the screen and click Select All
* Press Ctrl+C (on keyboard) to copy the data
* Open a notepad and press Ctrl+V to paste the data

Please copy/paste the log in the next post.

chi-saki

  • Guest
Re: hidden virus deactivating my windows firewall?
« Reply #4 on: July 07, 2010, 04:37:13 AM »
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 24e6e969c5e03633165af062d524329f
\\.\D: -> \\.\PhysicalDrive0
\\.\K: -> \\.\PhysicalDrive5
MD5: 24e6e969c5e03633165af062d524329f

     Size  Device Name          MBR Status
 --------------------------------------------
   298 GB  \\.\PhysicalDrive0   Unknown boot code
   298 GB  \\.\PhysicalDrive5   Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Press any key to quit...



Jtaylor83

  • Guest
Re: hidden virus deactivating my windows firewall?
« Reply #5 on: July 07, 2010, 05:08:55 AM »
Open Notepad and copy/paste this text without including the word code.

Code: [Select]
@ECHO OFF
START remover.exe fix \\.\PhysicalDrive0
remover.exe fix \\.\PhysicalDrive5
EXIT

Save it as fix.bat onto your desktop.

Exit Notepad and double-click on fix.bat. When it's finished, your computer will restart automatically.

When sucessfully finished and restarted, run remover.exe and post a new log.
« Last Edit: July 07, 2010, 08:04:05 AM by Jtaylor83 »

chi-saki

  • Guest
Re: hidden virus deactivating my windows firewall?
« Reply #6 on: July 07, 2010, 05:37:36 AM »
It flickered open and closed immediately.  ???

Jtaylor83

  • Guest
Re: hidden virus deactivating my windows firewall?
« Reply #7 on: July 07, 2010, 06:18:48 AM »
Did you post the log?

chi-saki

  • Guest
Re: hidden virus deactivating my windows firewall?
« Reply #8 on: July 07, 2010, 06:37:11 AM »
Mabey i did it wrong?


I pasted this exactly, saved it to desktop as bat

@ECHO OFF
remover.exe fix \\.\PhysicalDrive0
remover.exe fix \\.\PhysicalDrive5
EXIT

but when i run it nothing really happens, it opens and closes in a split second and nothing happens...

Jtaylor83

  • Guest
Re: hidden virus deactivating my windows firewall?
« Reply #9 on: July 07, 2010, 08:03:25 AM »
Forgot to add START, sorry. Please open fix.bat on Notepad and put START in the second line, click save, then run the batch file again.
« Last Edit: July 07, 2010, 08:08:01 AM by Jtaylor83 »

chi-saki

  • Guest
Re: hidden virus deactivating my windows firewall?
« Reply #10 on: July 07, 2010, 09:16:29 AM »
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd
\\.\D: -> \\.\PhysicalDrive0
\\.\K: -> \\.\PhysicalDrive5
MD5: 24e6e969c5e03633165af062d524329f

     Size  Device Name          MBR Status
 --------------------------------------------
   298 GB  \\.\PhysicalDrive0   OK (DOS/Win32 Boot code found)
   298 GB  \\.\PhysicalDrive5   Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Press any key to quit...

Jtaylor83

  • Guest
Re: hidden virus deactivating my windows firewall?
« Reply #11 on: July 07, 2010, 09:14:44 PM »
Do you have another hard drive or any other removable drives like a USB stick?

Delete the batch file off the desktop you just made and make a new one.

Open Notepad and copy/paste this code onto Notepad without copying the word "code".

Code: [Select]
@ECHO OFF
START remover.exe fix \\.\PhysicalDrive5
EXIT

Save it as fixme.bat onto desktop.

Exit Notepad and double-click on fixme.bat. Once its' finished it will restart automatically again.

When it's finished and restarted, please run remover.exe again and post a new log.
« Last Edit: July 07, 2010, 09:16:39 PM by Jtaylor83 »

chi-saki

  • Guest
Re: hidden virus deactivating my windows firewall?
« Reply #12 on: July 08, 2010, 12:09:45 AM »
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd
\\.\D: -> \\.\PhysicalDrive0
\\.\K: -> \\.\PhysicalDrive5
MD5: 6def5ffcbcdbdb4082f1015625e597bd

     Size  Device Name          MBR Status
 --------------------------------------------
   298 GB  \\.\PhysicalDrive0   OK (DOS/Win32 Boot code found)
   298 GB  \\.\PhysicalDrive5   OK (DOS/Win32 Boot code found)


Press any key to quit...

Jtaylor83

  • Guest
Re: hidden virus deactivating my windows firewall?
« Reply #13 on: July 08, 2010, 12:42:26 AM »
Looks good. Are you having anymore problems?

chi-saki

  • Guest
Re: hidden virus deactivating my windows firewall?
« Reply #14 on: July 08, 2010, 01:07:52 AM »
The firewall is still turning off. Should I just get a different one? or will the samething happen?