Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible sysinternal virus effects


  • This topic is locked This topic is locked
12 replies to this topic

#1 fisgreg

fisgreg

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 17 July 2010 - 01:12 PM

my wife's system starting displaying red screens with messages about sites being unsafe (jc penny and the like). since then i have lost count of the scans i have run. i have used webroot spysweeper, spybot search and destroy and malware bytes. each time they identify items and quaritines them. i have even run back to back sweeps until no items were found and then shutdown and powered off. i get nessages about problems with memory and svchostexe app error(exception integer division by zero ). as well as indications form the scan of a pdf trojan. i have experience with removing several other malware types but this one has me stumped. spysweeper says that it has blocked access to 8734hgf7xx60.com repeatedly. drwstn.exe was runing upto 90 pecent of my cpu. it is an xp o/s and i have attached the ark.txt, attach.txt, dds.txt. files

i can reboot and the executables will work for a time but in minutes task manager and anything i click on does not work.

i have tried your remove directions from this site but i am still having issues.

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:01 PM

Posted 18 July 2010 - 03:11 AM

Hi,

I have the feeling that you are dealing with a Daonol/Gumblar variant here. However, this one would block access to this forum, so not sure if you are posting these logs from your wifes computer or not. Unless you are dealing with a buggy variant that appears to crash once in a while which explains you are still able to run certain applications.
This one "blocks" also common used Windows programs like taskmanager, regedit etc.. It won't even allow to run Malwarebytes either and closes the window during scan...

This one does get installed via a pdf file. Do you still have logs from detection of files? Can you post the log from Malwarebytes?

Also, are you able to run regedit? If so, then I may need additional info (From what I read here, it looks like you are familiar with Windows in general).

Also, do you use a modified hosts file? For example the MVPS HOSTS file or another one created by another security program? Because this may explain the "blocking access" to certain domains in Spysweeper. Reason is, Spysweeper has problems with larger modified hostsfiles and actually sees some entries present in the modified hostsfile, for example: 127.0.0.1 8734hgf7xx60.com and alerts for those instead. For whatever reason Webroot has decided that the end-user only needs 500 entries in the HOSTS file and everything larger would cause "strange" detections in spysweeper related with blocked domains. The way to solve this is to Open Spy Sweeper and click Options. Click Shields and click Hosts File. Uncheck Hosts File Shield.

Also see here: http://infoave.ipbhost.com/index.php?showtopic=27380

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 fisgreg

fisgreg
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 18 July 2010 - 09:25 AM

thanks, i have attached the malware-bytes log file. i looked at it and it appears to show what i keep encountering. fyi i am using multiple systems so i can access the net and switch back and forth between systems.

Attached Files



#4 fisgreg

fisgreg
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 18 July 2010 - 09:38 AM

i have made the change to spysweeper you suggested. also if i reboot i can temporalily run programs.
not sure about the host files. i have not modified anything that i am aware of. i have loaded and ran spy-bot search and destroy and malware-byte after this started ocurring.
also i did not mention before. i get the windows encountered an problem and wants me to send them a report for,
"generic host process for win32 services encountered a problem and needs to close"

thanks again

#5 fisgreg

fisgreg
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 18 July 2010 - 12:39 PM

here is one more bit of info i just found.

in the event viewer
error
event properties
faulting application svchost.exe
version 5.1.2600.5512
faulting module unknown
version 0.0.0.0 fault address 0x001a3ae7


this is common in everyday occurences.

hope this might be a key.

thanks

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:01 PM

Posted 19 July 2010 - 02:13 AM

Hi,

Well, this says it all:

C:\WINDOWS\system32\..\ovwo.nrc

You are indeed dealing with a daonol/gumblar version. Still an older version though, so this one appears to be present for a while already.

Can you verify where this one is located? It should be present in your C:\Windows folder; so the exact path is: C:\Windows\ovwo.nrc, because system32\.. actually stands for "return to a previous folder", so this is C:\Windows
This one needs to get deleted, but needs to get deleted at reboot, because when you delete it via rightclick > delete, it will recreate immediately again.

So in this case, you can use HijackThis > delete file on reboot.

* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, click browse and browse to the ovwo.nrc file, which is most probably present in your Windows folder.
Or copy and paste next path in the field there: C:\Windows\ovwo.nrc

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.


After reboot, verify if the file is gone.

Edited by miekiemoes, 19 July 2010 - 02:14 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 fisgreg

fisgreg
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 19 July 2010 - 07:03 AM

i will try that and let you know.
thank you so much for your help.



#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:01 PM

Posted 19 July 2010 - 07:04 AM

Ok, I read you later!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 fisgreg

fisgreg
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 19 July 2010 - 05:54 PM

did not find the file ovwo.nrc when i searched. i also checked for
.nrc and ov*.*

what might i try next ?

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:01 PM

Posted 20 July 2010 - 12:22 AM

Hi,

There is a possibility that it's not present there anymore though, because Malwarebytes didn't list it under "files removal" either, only under the registry part.
In either way, do the following..

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.


Also, are you familiar with the registry? Can you export the following key please?:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32

To do this, run regedit, then go to above key, rightclick the Drivers32 key and select export and save it on your desktop.
Then, rightclick again and choose edit. This will open the contents in notepad. Copy and paste the contents in your next reply as well.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 fisgreg

fisgreg
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 28 July 2010 - 08:10 AM

i was able to resolve this issue.
thanks for your help

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:01 PM

Posted 28 July 2010 - 08:16 AM

Good to hear and glad I could help.

Extra note, please change all passwords, especially FTP related passwords as this variant steals them in order to put malicious content on your webpages as well.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:01 PM

Posted 16 August 2010 - 08:04 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users