Malware attacking computer

[aznkitty180]

Every half and hour or so, avast keeps popping out saying that there's a virus attacking svchost.exe and that it was blocked. The IP that keeps popping up is 199.80.55.19. Problem is, I virus scanned using avast like 4 times already, and it still keeps happening. I've also scanned with Malwarebytes Anti-Malware like 2 times, and updated, and then scanned 2 times. It found 10 infected files with trojans and other stuff, but I'm still getting reports of viruses attacking. I've scanned with spybot search and destroy and ad-aware. I also got the virus program whitesmoke translator removed earlier by uninstalling in safe mode. I've also used system restore to a week before the virus and then virus scanned again... I'm still getting avast alerts and my computer is still messed up. What should I do next?

[SafeSurf]

Hello aznkitty180 and welcome to the forum.

1.   What is your OS, 32 or 64-bit?
2.   What version of Avast did you install?  5.0.677 is the latest version.
3.   What product of Avast did you install?  Free, Pro, AIS?

Please cut and paste your most recent MBAM log. 

Have you scanned with Avast?  If so, is anything in the Virus Chest (VC)?  If anything is in there, please give me a screen shot so I can see what is in there.  Thank you.

If you haven't done an Avast Boot-time scan and you have a 32-bit machine, try that as well.  Any infections that come up, put in the Virus Chest where they are safe; do NOT delete.

Next, check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.  Follow the directions for obtaining the OTL logs.  Post the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post). 

**Please do not make any further changes to your machine after you have provided the logs.**

Please let me know if you have any questions.  Thank you.

[aznkitty180]

1. 32-bit (is OS the color quality?)
2. 5.0.677 (newest)
3. Free

Most recent Malwarebytes Anti-malware log (No viruses found, I scanned twice after the one that found virus. If you want the one with viruses, please tell me)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5203

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18702

11/28/2010 5:28:49 AM
mbam-log-2010-11-28 (05-28-49).txt

Scan type: Full scan (C:\|D:\|F:\|)
Objects scanned: 235430
Time elapsed: 1 hour(s), 29 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I've scanned with avast - it can't find the original virus. I've usually delete infected files, so there's only some of them in there...
Virus chest: http://s301.photobucket.com/albums/nn73/aznkitty180/?action=view&current=viruschest.jpg

Just did avast bootscan, nothing found...

As for the OTL, I did the scan like 4 times - after the first time, two slightly faded files; a system file called thumbs.db and a word document with a mix of japanese, english, and numbers in the title; suddenly appeared on my desktop. I'm not sure how that happened, so I tried redoing the OTL scan three times. I got OTL.Txt 3 times, but I couldn't get another extras.Txt so I had to get it out of the trash can... what should I do with the two files that suddenly appeared on my desktop?

My computer crashes every 30 minutes or so... An error report suddenly pops out and when you press 'Don't Send' the computer pretty much freezes and I would have to hold the turn off button. When I'm on the internet, sometimes I am redirected to a random pop-up page without pressing anything (like when I had a google on, something pops out on a new tab or I am redirected)

[YoKenny]

1. It is the type of operating system

Please read:
Support for Windows XP Service Pack 2 ends on July 13, 2010
http://support.microsoft.com/gp/lifean31

You need to update Windows to SP3 as it has many Critical Updates and performance improvememnts.

[SafeSurf]

I've usually delete infected files, so there's only some of them in there.

It is always best to leave an infection in the Virus Chest for a good 30 days where it is safe rather than delete it.  You can always rescan it to see if it is a false positive, then if it is, restore it.  In your case, it is malware, so do NOT delete it.

Thank you for providing the logs and I have reviewed them.

I am going to refer you to our Certified Malware expert, named Essexboy.  He will also review your logs and give you further instructions, however he comes on the forum late UK time.  He will respond to you in this thread, so remember to check this thread daily.  I will continue to provide assistance in the meantime, then remain in the background while he works with you.

IMPORTANT: If you are on a home network, disconnect the affected machine from the network.  Do not share a USB/flash drive with this affected machine.  Do not use this machine unless Essexboy instructs you do to malware removal instructions; use a different machine if possible to check email, sync your phone, etc.

***Please do not make any further changes to your machine now that you have provided the logs.***

Let me know if you have any questions.  Thank you.

[SafeSurf]

@ YoKenny,

Yes the OP needs to eventually update to SP3, but at this time he/she cannot due to the malware problem and being redirected. 

@ aznkitty180,

It is best that Essexboy does his malware removal and cleanup prior to doing any upgrades.  Afterwards we can make sure your machine is better secured than it is now and give you some tips. 

[Tenko]

Hey and welcome to the forums aznkitty180!

I have googled abit and found this link http://www.techspot.com/vb/topic147575.html

I would like to know what firewall you're using (I assume you're using Windows firewall)? Use one of the free firewall (if you intend to use Zonealarm remember to activate Windows firewall again since zonealarm doesn't activate at boot time (during the time zonealarm activates itself, you will be vulnerable) and I have had both active and no conflicts has ever happened.

In case you want a full featured firewall install comodo firewall; all of the other free firewalls wants you to buy the pro version or whatever they call it. And you get cloud scanner as an extra.

Regards,
              Tenko

[essexboy]

Fix time 

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva098.sys -- (XDva098)
  DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\My Computer\Desktop\Serbio\serbio.sys -- (serb1)
  DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\My Computer\Desktop\Harrison's Random Stuff\3y4LoS_DE_Pack\DualEngi.sys -- (Dua1)
  O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - No CLSID value found.
  O3 - HKU\S-1-5-21-3403325154-843981437-1793403575-1006\..\Toolbar\ShellBrowser: (no name) - {CD292324-974F-4224-D074-CACA427AA030} - No CLSID value found.
  O3 - HKU\S-1-5-21-3403325154-843981437-1793403575-1006\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
  O3 - HKU\S-1-5-21-3403325154-843981437-1793403575-1006\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
  O20 - AppInit_DLLs: (pudoluwa.dll) - File not found
  O20 - AppInit_DLLs: (c:\windows\system32\jegoi.dll) - C:\WINDOWS\System32\jegoi.dll File not found
  O22 - SharedTaskScheduler: {fbaa7197-94b0-4294-b781-fa8c52f7cc41} - mujuzedij - C:\WINDOWS\System32\jegobati.dll File not found
  O33 - MountPoints2\{13b26a16-acbb-11dc-9c75-0013204e1383}\Shell\AutoRun\command - "" = E:\ntdelect.com -- File not found
  O33 - MountPoints2\{13b26a16-acbb-11dc-9c75-0013204e1383}\Shell\explore\Command - "" = E:\ntdeIect.com -- File not found
  O33 - MountPoints2\{13b26a16-acbb-11dc-9c75-0013204e1383}\Shell\open\Command - "" = E:\ntdeIect.com -- File not found
  O33 - MountPoints2\{a17eadec-bfe3-11dc-9c94-0013204e1383}\Shell\AutoRun\command - "" = E:\.\Recycled\Driveinfo.exe -- File not found
  O33 - MountPoints2\{a17eadec-bfe3-11dc-9c94-0013204e1383}\Shell\Open\Command - "" = E:\.\Recycled\Driveinfo.exe -- File not found
  O33 - MountPoints2\{eea034ea-36b2-11da-957c-00038a000015}\Shell\AutoRun\command - "" = K:\.\Recycled\Driveinfo.exe -- File not found
  O33 - MountPoints2\{eea034ea-36b2-11da-957c-00038a000015}\Shell\Open\Command - "" = K:\.\Recycled\Driveinfo.exe -- File not found
  [2010/11/27 02:23:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\%APPDATA%
  [2010/11/26 22:44:21 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\My Computer\??
  [2010/11/27 02:25:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Iviguketo.bin
  [2010/11/27 02:25:58 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Pheqininozumaho.dat
  [2010/10/29 17:38:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
  [2010/03/06 21:02:15 | 000,013,800 | -HS- | C] () -- C:\Documents and Settings\My Computer\Local Settings\Application Data\fwSG76dUmwJ
  
  :Files
  ipconfig /flushdns /c
  C:\WINDOWS\tasks\At*.job
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

.
THEN

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[aznkitty180]

So far, I've done the OTL steps, but the first link for combofix doesnt work, and when I downloaded from the second link, it's entirely in Chinese. I just pressed yes for everything, and the autoscan got stuck at C:\Combofix\CF-scrpt.cmd Access is denied. I'm pretty sure that while my avast shields were down, I probably got several infected files too... I'm not sure if the program just died or whether its just taking a long time...

[aznkitty180]

NVM, I just found out I had my regional language advanced thing set it Chinese. I ran it again and it worked, but it rebooted my comp and everything... Was I supposed to put anything in the Custom Scans/Fixes during the second OTL Quick Scan? because I didn't.

[essexboy]

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.

Culprit

What problems do you have now ?

[aznkitty180]

I think its fixed ^^ No avast alerts or computer freezing Thanks so much!

[essexboy]

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

 Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :Commands
  [resethosts]
  [purity]
  [emptytemp]
  [EMPTYFLASH]
  [CLEARALLRESTOREPOINTS]
  [Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done

.
Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself.  MBAM can be uninstalled via control panel add/remove along with ERUNT.  But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
  
• Click Yes to confirm.
• Click OK.

   Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 22.
  
• Click the "Download" button to the right.
  
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  
• Click on Continue.
  
• Click on the link to download Windows Offline Installation (jre-6u22-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u22-windows-i586-p.exe and select "Run as an Administrator.")
  

SPRING CLEAN
 
Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

• SpywareBlaster to help prevent spyware from installing in the first place.
  Malwarebytes.  Run weekly to keep your system clean
  

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update
  

To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?
Keep safe  :wave: