Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recovered my computer from a virus attack, and now it's acting up again


  • Please log in to reply
3 replies to this topic

#1 Basilisk

Basilisk

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 21 October 2008 - 12:25 AM

2 weeks ago, I made the mistake of downloading a questionable torrent, which unfortunately carried with it a number of viruses which tore through my computer like pigs at a trough. I managed to get my system back into working order, but I'm beginning to think that I haven't caught everything.

First of all, when I start up my computer, I always get a popup from Sygate informing me:

The executable has changed since the last time you used: C:\WINDOWS\system32\ntoskrnl.exe

File Version : 5.1.2600.5657
File Description : NT Kernel & System
File Path : C:\WINDOWS\system32\ntoskrnl.exe
Process ID : 0x4 (Heximal) 4 (Decimal)

Connection origin : local initiated
Protocol : UDP
Local Address : 70.65.138.203
Local Port : 137
Remote Name :
Remote Address : 70.65.139.255
Remote Port : 137 (NETBIOS-NS - Browsing requests of NetBIOS over TCP/IP)

Ethernet packet details:
Ethernet II (Packet Length: 124)
Destination: ff-ff-ff-ff-ff-ff
Source: 00-1b-fc-43-db-54
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x11 (UDP - User Datagram Protocol)
Header checksum: 0x5594 (Correct)
Source: 70.65.138.203
Destination: 70.65.139.255
User Datagram Protocol
Source port: 137
Destination port: 137
Length: 8
Checksum: 0x5198 (Correct)
Data (76 Bytes)

Binary dump of the packet:
0000: FF FF FF FF FF FF 00 1B : FC 43 DB 54 08 00 45 00 | .........C.T..E.
0010: 00 60 02 EB 00 00 80 11 : 94 55 46 41 8A CB 46 41 | .`.......UFA..FA
0020: 8B FF 00 89 00 89 00 4C : 98 51 80 07 29 10 00 01 | .......L.Q..)...
0030: 00 00 00 00 00 01 20 45 : 43 45 42 46 44 45 4A 45 | ...... ECEBFDEJE
0040: 4D 45 4A 46 44 45 4C 43 : 41 43 41 43 41 43 41 43 | MEJFDELCACACACAC
0050: 41 43 41 43 41 42 4F 00 : 00 20 00 01 C0 0C 00 20 | ACACABO.. .....
0060: 00 01 00 04 93 E0 00 06 : 80 00 46 41 8A CB 69 6E | ..........FA..in
0070: 67 63 6F 6D 70 75 74 65 : 72 2E 63 6F | gcomputer.co

It doesn't matter if I deny or allow the change, it's always waiting for me again at startup.

Secondly, if I leave my computer on for prolonged periods of time (usually around 3 hours, but varying between 45 mins and 5 hours) the my internet connection stops working, and I can't use the internet again until I restart the computer. When I shut down the computer while the internet is interrupted like so, I sometimes get Windows' "Ending program" window pop up briefly for a program listed as _dummy_DNSresolver

I have run several scans using Avast!, Spybot S&D, and Malwarebytes' Anti-Malware, both in standard and in safe mode, and sometimes they find a Trojan virus, but it's always the same one. Malwarebytes offers this log:

Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.1.2600 Service Pack 3

20/10/2008 10:50:51 PM
mbam-log-2008-10-20 (22-50-46).txt

Scan type: Quick Scan
Objects scanned: 48625
Time elapsed: 2 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55277-OEM-0050977-77068) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Normally, at this point, my impulse would be to back up and reformat, but I've recently moved out from my parents' house, and I know I don't have my windows disk. Some of my drivers disks are also MIA, so a reformat at this point is difficult. I'm currently running under Windows SP3, if this helps track down the problem.

Any advice on this matter would be helpful.

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 21 October 2008 - 12:39 AM

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Basilisk

Basilisk
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 21 October 2008 - 11:18 AM

Ran both programs, haven't been logged in long enough to get the internet problem yet.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/21/2008 at 10:09 AM

Application Version : 4.21.1004

Core Rules Database Version : 3603
Trace Rules Database Version: 1589

Scan type : Complete Scan
Total Scan Time : 00:19:21

Memory items scanned : 166
Memory threats detected : 0
Registry items scanned : 6675
Registry threats detected : 0
File items scanned : 27476
File threats detected : 4

Trojan.Unclassified/GTS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F91D259F-27D2-48AE-B4AB-674501340FB4}\RP313\A0045943.DLL

Adware.Vundo-Variant/J
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F91D259F-27D2-48AE-B4AB-674501340FB4}\RP313\A0045944.DLL

Trojan.Net-MSV/VPS-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F91D259F-27D2-48AE-B4AB-674501340FB4}\RP313\A0045947.DLL

Trojan.Dropper/Gen
C:\WINDOWS\FBXRQTWN.EXE



I am still getting this warning:

The executable has changed since the last time you used: C:\WINDOWS\system32\ntoskrnl.exe
File Version : 5.1.2600.5657
File Description : NT Kernel & System
File Path : C:\WINDOWS\system32\ntoskrnl.exe
Process ID : 0x4 (Heximal) 4 (Decimal)

Connection origin : local initiated
Protocol : UDP
Local Address : 70.65.138.203
Local Port : 138
Remote Name :
Remote Address : 70.65.139.255
Remote Port : 138 (NETBIOS-DGM - Browsing datagram responses of NetBIOS over TCP/IP)

Ethernet packet details:
Ethernet II (Packet Length: 231)
Destination: ff-ff-ff-ff-ff-ff
Source: 00-1b-fc-43-db-54
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x11 (UDP - User Datagram Protocol)
Header checksum: 0x7d96 (Correct)
Source: 70.65.138.203
Destination: 70.65.139.255
User Datagram Protocol
Source port: 138
Destination port: 138
Length: 8
Checksum: 0x5e9a (Correct)
Data (183 Bytes)

Binary dump of the packet:
0000: FF FF FF FF FF FF 00 1B : FC 43 DB 54 08 00 45 00 | .........C.T..E.
0010: 00 CB 00 58 00 00 80 11 : 96 7D 46 41 8A CB 46 41 | ...X.....}FA..FA
0020: 8B FF 00 8A 00 8A 00 B7 : 9A 5E 11 02 80 0B 46 41 | .........^....FA
0030: 8A CB 00 8A 00 A1 00 00 : 20 46 43 45 46 45 46 45 | ........ FCEFEFE
0040: 45 43 41 43 41 43 41 43 : 41 43 41 43 41 43 41 43 | ECACACACACACACAC
0050: 41 43 41 43 41 43 41 41 : 41 00 20 45 43 45 42 46 | ACACACAAA. ECEBF
0060: 44 45 4A 45 4D 45 4A 46 : 44 45 4C 43 41 43 41 43 | DEJEMEJFDELCACAC
0070: 41 43 41 43 41 43 41 43 : 41 42 4E 00 FF 53 4D 42 | ACACACACABN..SMB
0080: 25 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | %...............
0090: 00 00 00 00 00 00 00 00 : 00 00 00 00 11 00 00 07 | ................
00A0: 00 00 00 00 00 00 00 00 : 00 E8 03 00 00 00 00 00 | ................
00B0: 00 00 00 07 00 56 00 03 : 00 01 00 01 00 02 00 18 | .....V..........
00C0: 00 5C 4D 41 49 4C 53 4C : 4F 54 5C 42 52 4F 57 53 | .\MAILSLOT\BROWS
00D0: 45 00 02 00 52 45 45 44 : 00 00 00 00 00 00 00 00 | E...REED........
00E0: 00 00 00 00 00 00 00 : | .......

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 21 October 2008 - 03:49 PM

Try running the System File Checker.

How to Use SFC.EXE to Repair System Files
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users