Unknown Virus on XP Professional system

[mchain]

essexboy,

Have (will) download ComboFix and also install Recovery Console.

Time is now to back up all personal files, so I will be doing that for the next hour or so.  Once that is done, I will wait to run ComboFix and attach the log requested.  (See below)

I see that ComboFix may ask to update.  How will I be able to do that if I am deliberately not putting this system online?  I am doing that because this not my computer and no firewall service or process is running or installed on it.  I am also not willing to compromise any other computers out there with whatever malware that still is resident on this system.  Will you be able to get the data you need if this is not done?

I will wait until you have an answer for these two questions.   

mchain

XP Home SP3 P4 2.8 2 GB RAM Avast! 6.0.1289 

[essexboy]

It may ask to download the recovery console - if it does then do the following

Go to Microsoft's website => http://support.microsoft.com/kb/310994
 
Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.
 
Note: If you have SP3, use the SP2 package.
 
 
---------------------------------------------------------------------
 
Transfer all files you just downloaded, to the desktop of the infected computer.
 
--------------------------------------------------------------------
 
 
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
 

 
 

• Drag the setup package onto ComboFix.exe and drop it.
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

 
 
 

• At the next prompt, click 'Yes' to run the full ComboFix scan.
• When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

[mchain]

To essexboy, David R, Pondus, et al,

I cannot use the floppy disk setup for the Compaq machine that is infected to install Recovery Console as it does not have a floppy drive installed.

Please see system specifications posted above in this thread.

Could anyone point me towards a downloadable file from M$ for a burnable CD-ROM?  I haven't tried it yet, but it is quite possible this computer will boot from the DVD/CD drive.  If it does not, I will look in the BIOS to see if the settings there need to be changed.

Worst comes to worst, I can install a floppy drive temporarily to run Recovery Console if need be.  No Windows Installation CD is available however, only the hidden backup partition is available, and that is installed by the manufacturer.

System has been backed up.  Personal data is in excess of 15 GB.

Owner is coming over soon, and we will back up more if need be.

I think essexboy is showing the highest integrity possible.  I want to thank him for all the help given so far.    

Please be patient while I work things out here.

If it would help, I can post a Belarc Advisor file but it will have system information in it I would rather not post, such as the M$ installation key would be published, and I do not want to do that.

mchain

XP Home SP 3 P4 2.8 2 GB RAM Avast! Free 6.0.1289 

[essexboy]

No there is no need to use a floppy disc - copy the KB to the desktop of the infected system and drag and drop it onto the combofix icon..  Combofix will then install it for you

[mchain]

No there is no need to use a floppy disc - copy the KB to the desktop of the infected system and drag and drop it onto the combofix icon..  Combofix will then install it for you

essexboy,

Sure was quick of you there!

OK, then, will do as you say and give you the .txt file from Comobofix very soon.

mchain

XP Home Edition P4 2.8 2 GB RAM Avast! Free 6.0.1289

[essexboy]

I will be offline in about half an hour - but as tomorrow is saturday I will be back on a.m.

[mchain]

essexboy,

 

I uninstalled BearShare w/RevoUninstaller.  Installation successful, but had to reboot to remove traces of program.  Something like 1800 folders removed (registry entries) , 1200 files removed!  Never have seen Revo remove so much stuff in one pull!

I copied ComboFix to infected desktop and also copied the SP2 file for XP Pro there as well.

Forgot to do an important step, that of dragging the SP2 file into ComboFix before running it, so no Recovery Console was installed.  Maybe we could try again?  I will wait for your answer.

ComboFix did find three files, and one, srcvc.dll, was found to be infected.  As Recovery Console was not installed, I let the dialog box stating ComoboFix was about to do an intensive search for a clean copy of this file run w/o clicking 'Accept' on the dialog box.

As this was the first time ever I have run this program, I thought it necessary to write down the name of the file, this took a moment or two, and never did click 'Accept'.  Dialog box closed on its own.  [Edit:  I was not expecting the dialog box to close on its own.  Rather caught me by surprise.]

Hope this will not cause a problem for the next steps that need to be made.

System is running better than before, but most of that is likely due to the removal of BearShare.

I do not pretend to know if ComboFix actually repaired the file found to be infected, so...

Attached find the ComboFix file below.

Hope this is the right file!  Date and time are correct, though.

mchain

XP Home Edition SP3 P4 2.8 2 GB RAM Avast! Free 6.0.1289

[essexboy]

OK lots of repairs needed here. 

c:\windows\system32\srsvc.dll . . . is infected!!

Recovery console needs to be installed to repair this

So run Combofix again but install the recovery console first and accept the windows to search for spare copies

Once that has completed we will need to repair netsvc registry entries.

Copy all of the data in the code box to a notepad file and you must save it as Netsvc.reg
Just in case you are not sure how to do that :
When you save the note pad file in the drop down box select all file types
Save as netsvc.reg to your desktop
Double click and allow to merge 

Code: [Select]

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AudioSrv]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cisvc]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COMSysApp]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DcomLaunch]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmserver]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventSystem]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidServ]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTPFilter]
"Start"=dword:00000003

THEN

Please download and run these tools which are designed to restore some standard policy settings. They are not harmful.

VArestorepolicies.INF

Download this INF repair file from here: http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip VArestorepolicies.zip by MS-MVP Miekiemoes

Unzip or open the file VArestorepolicies.zip

Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install
FixPolicies.exe

Download this self-extracting ZIP archive from here: http://downloads.malwareremoval.com/BillCastner/FixPolicies.exe FixPolicies.exe by MS-MVP Bill Castner and save it to your desktop.

Double-click FixPolicies.exe

Click the "Install" button on the bottom toolbar of the box that will open

The program will create a new Folder called FixPolicies

Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd

A black box will briefly appear and then close

These fixes may prove temporary. Active malware may revert these changes on your next startup. You can safely run these utilities again.

[mchain]

essexboy,

System now boots to desktop, all startup programs loaded in 2 minutes and 5 seconds.

Attached find ComboFix log below. 

Note the name change!

Ran both repair utilities, could not see any system changes.  Task manager is showing 42 processes running and, notably, commit charge has dropped to 292 MB, down from over 400, but there still is no total commit charge present.

Ran Avast! full scan yesterday before these repairs were made, and it took only 18:10 vs. 29:05 with infected files found. 

Recovery console installed.  Did have a hitch there, as I forgot to turn off Avast! real-time protection, and the sandbox option kept popping up, eventually leading to a dialog box stating 'Do not run Comobofix in compatibilty mode.  Doing so will damage the system.'  I clicked 'Acceptar' (Accept) and re-ran ComboFix after turning off real-time.

Everything looks good so far.

Do not know if srsvc.dll file was repaired.  Shows no hidden file in ComboFix log , however.

mchain

XP Home Edition SP3 P4 2.8 2 GB RAM Avast! Free 6.0.1289

[essexboy]

OK now would be the time to install SP3 to get us some fresh copies of the corrupted files

Once done if you could run a fresh OTL scan on all users I will see if there are any remnants before we look at the current state of play

[mchain]

essexboy,

Now that we are both online, things will go faster.

Will install SP3 and run OTL again (fresh copy?)

Thanks.

mchain

XP Home Edition SP3 P4 2.8 2 GB RAM Avast! Free 6.0.1289

[essexboy]

Yep our time zones match..  I will be here on and off for the next 4 or 5 hours

For the OTL run could you add this script

• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
srsvc.*
/md5stop
C:\Windows\assembly\tmp\U /s
CREATERESTOREPOINT

• Click the Quick Scan button.
  

[mchain]

essexboy,

Alas, the SP3 full install disc will not run as update language does not match what is on the system (Spanish).  Currently downloading a .iso file in Spanish @ ghack.com but do not know if that will work either.

Brief survey of the Internet shows may be possible to go to Control Panel and change Regional/Language settings, but obviously not on infected system ATM.

Will copy and paste custom commands into OTL after successful install of SP3. 

Conflict above may be why SP3 was not installed in the first place.

mchain

[essexboy]

Ignore this I can't read

[essexboy]

Here is the correct link http://www.microsoft.com/download/en/details.aspx?id=24