Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mirc Virus?


  • Please log in to reply
5 replies to this topic

#1 kreG15

kreG15

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 01 March 2008 - 01:29 PM

Ok so firstly I'll start with the "how I got it" story:
Someone (which is also infected with the same virus probably...) sent a msg to all channels he was in, the msg was like this: "spawn busted at ESLR @ more details viruswebsite.com
with my stupid brain, I clicked on the link from the msg and saw 5 links to 5 .jpg pictures, I tried to download one of them and then when it finished to download, the file disappeared very fast I couldn't even click on it.
Later on when I restarted my computer, 2 "error" messages popped up right after the welcome page of windows, here's a link:
http://img137.imageshack.us/img137/3828/fckbafm8.jpg
Don't worry about the subjects, in my language it says "error".
I clicked OK for both messages and my Windows Defender deleted a file C:\Windows\system32\drivers\etc\hosts
but it doesn't help at all...cuz everything that I start my pc the same happens...windows defender delete it every time...
and also people from the mIRC says that I spam msgs (the same like above...) with virus websites...so I signed off mIRC for not spreading this virus anymore until I fix it.
someone can help me with this? I will do anything :thumbsup:
thanks in advance!

{Mod Edit ,killed active potentially dangerous weblink~~boopme}

Edited by boopme, 01 March 2008 - 04:10 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:07 AM

Posted 01 March 2008 - 11:29 PM

Hello kreG15 and welcome to BC :flowers:

In order to assist you, we need a bit more information. What is your operating system: Windows XP, Vista etc.?

What other security programs besides Windows Defender do you have installed?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 kreG15

kreG15
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 02 March 2008 - 07:16 AM

My OS is windows XP home edition, and I also have ad-aware6, SUPERantispyware, NOD32, Hijackthis and AVG free antispyware, none of them detects this virus except for NOD32 which detected mssvcs.exe (I dont remember where this file was) but it didn't help at all :flowers:
Thanks again!

EDIT:
Someone told me the virus is hidden in System Volume Information folder, but I when I click on the folder it says "Access denied" even though I already checked the box in the folders options, it was something like "show hidden files and folders" and also I unchecked the "hide protected system files (recommended)" box.
This is very urgent please, if you have any solution please dont hesitate to say it.
Thanks in advance!

EDIT #2:
Ok I checked the "disable system restoring" box and I guess the "System Volume Information" is now clean, doesn't it?
URGNET :thumbsup:
anyone?

Edited by kreG15, 02 March 2008 - 08:34 AM.


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:07 AM

Posted 02 March 2008 - 01:18 PM

Hello kreG15,

In response to the latest question, we can't say if it is clean or not and we didn't know if it was actually there.

System Volume Restore is a computer system backs up system files allowing you to go back to an earlier state if something gets messed up. While malware files may also get backed up there, the malware will not cause problems unless you actually use system restore. Contrary to Symantec's practice, here at BC, we leave system restore alone until the computer has been disinfected. The reason is that if something gets messed up in the disinfection process you have a workable, even if infected, state to return to. By turning off system restore, you have eliminated the possibility of going back to an earlier state. For instance, you cannot see if the problem will be solved by going back to a time and date prior to clicking on that message. Please turn system restore back on.

When the computer has been declared clean, there are two methods of flushing old restore points. One involves turning system restore off, rebooting, then turning turning system restore back on. The other method is the one I prefer. That is to create a new restore point, then using disk clean up to remove all earlier restore points in the process removing any malware file backups in system restore.

For now two things: Turn system restore back on. Then go to the log files for NOD32 and find the file path for mssvcs.exe which it flagged and post that information.

One question: You stated that you ran several security programs. Did you scan with them in Safe Mode? If not, please do so, but NOT with HiJack this which is an advanced tool and is not used in this forum, and see if they find anything further. Please post logs if they do.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 kreG15

kreG15
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 02 March 2008 - 02:18 PM

Ok I turned system restore on.
As for the mssvcs.exe, its path is C:\WINDOWS\system32\mssvcs.exe the NOD32 detected this file as Win32\Rbot trojan and it took
Now for the hosts file, the NOD32 always detects this file when I start windows, it says "cleaned by deleting - quarantined" but it always recreates itself somehow (when windows starts) and NOD32 detects it everytime.
I scanned with them in regular mode, now I'll do that in safe mode as you said, I forgot to tell that I also ran Spybot S&D if that helps.
Thank you so much!

EDIT #1:
Important information from NOD32:
when the NOD32 tried to clean the C:\WINDOWS\system32\drivers\etc\hosts file it said: "Unable to clean, Event occured during an attempt to access the file by the application C:\WINDOWS\system32\svchost.exe"
And also very important and I think you should see that, the whole NOD32 log:

02/03/2008 18:50:10 Real-time file system protection file C:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\system32\mssvc.exe.
02/03/2008 18:43:04 Real-time file system protection file C:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\system32\mssvc.exe.
02/03/2008 18:22:58 Real-time file system protection file C:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
02/03/2008 18:21:48 Real-time file system protection file C:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan error while Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.
02/03/2008 17:34:56 Real-time file system protection file C:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\system32\mssvc.exe.
01/03/2008 11:20:37 Real-time file system protection file C:\WINDOWS\system32\mssvcs.exe Win32/Rbot trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Windows Defender\MsMpEng.exe.
29/02/2008 18:27:16 Real-time file system protection file C:\System Volume Information\_restore{0D1368F3-4705-4684-A322-DC445637B4F1}\RP686\A0652574.dll probably a variant of Win32/Agent trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe.
29/02/2008 15:34:25 Real-time file system protection file C:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\system32\mssvcs.exe.
29/02/2008 15:33:48 Real-time file system protection file C:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\system32\mssvc.exe.
29/02/2008 13:35:58 Real-time file system protection file C:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\system32\mssvcs.exe.
29/02/2008 13:34:02 Real-time file system protection file C:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\system32\mssvc.exe.
28/02/2008 14:18:04 Real-time file system protection file C:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\system32\mssvc.exe.
28/02/2008 11:49:18 Real-time file system protection file C:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\WINDOWS\system32\mssvc.exe.
27/02/2008 20:29:24 Real-time file system protection file C:\System Volume Information\_restore{0D1368F3-4705-4684-A322-DC445637B4F1}\RP686\A0652336.dll probably a variant of Win32/Agent trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe.

Thanks in advance!!!

Edited by kreG15, 02 March 2008 - 02:25 PM.


#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:07 AM

Posted 02 March 2008 - 06:19 PM

Hello kreG15,

Thanks for the log. That helps a lot.

What I'd like you to do next is run a scan with SUPERAntiSpyware in Safe Mode. Be sure to update it first.

Also, in normal mode, check if your scan preferences match these:

Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
o Please leave the others unchecked.

Reboot into Safe Mode

On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
Reboot into Normal Mode

Here's how to get the log.

o After rebooting into normal mode, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log with the appropriate date.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Please post the SAS log in your next reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users