Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans blocking my internet connection


  • This topic is locked This topic is locked
34 replies to this topic

#1 chowder87

chowder87

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 04 August 2010 - 03:05 AM

Please keep in mind I'm quite a noob here... here's the background info:

So I have windows XP, and my Norton antivirus expired years ago... in its place I have AVG, which I've long since given up on trying to keep up with all the updates. I get occasional warnings of viruses, and AVG is rarely able to perform my "heal" or "remove" commands, however the viruses never did anything (that i noticed), so I let it be...

Anyway, Windows security alerts was bugging me for updates, so on July 30, against my better judgement, I ran the update and some service pack gets installed. Next thing, AVG is constantly alerting me of dozens of trojans (without being able to do anything about it, as usual), and immediately my wireless internet connection fails (it is constantly "acquiring network address"). Same problem even if I plug directly to modem.

I've ran into minor virus trouble before (sometimes they just die away on their own after a week) so I do the simplest thing I know that works - system restore. The process goes all the way through to reboot, but after logging in, it tells me "restoration not complete, cannot be restored to such and such date". Tried several times, and also in safe mode, to no avail.

Today (Aug 3) someone told me to turn off the antivirus before trying again (never had to do that before), but this time, the restore points are unavailable altogether... I now have a restore point for Aug 2, but nothing before that... which is kind of useless since the s--- storm began July 30...

Now I'm really screwed!!

Btw, the warnings have subsided since day 1, and nothing else is wrong with my computer, except for no internet... what am I going to do with all this spare time!?!? Edit: Might as well add that I've been dealing with the annoying google redirect virus for about 3 weeks...

***

So I followed the preparation guide, and did everything except for run the DDS script... all I get is a notepad window with weird symbols including "this program cannot be run in DOS mode" on the first line. Anyway, here's the log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-04 03:27:45
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Martin\LOCALS~1\Temp\awloqpob.sys


---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF6931DBF]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Udfs \UdfsCdRom tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_Disk tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_CdRom tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

Hope this is just the garden variety for you experts out there! Thanks in advance!

Attached Files


Edited by chowder87, 04 August 2010 - 04:16 AM.


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:12 AM

Posted 12 August 2010 - 12:22 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 chowder87

chowder87
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 15 August 2010 - 02:36 AM

Thanks for the reply. The problem is still not solved yet. Although I've already disabled the CD emulation, I am unable to run the DDS scan properly (as mentioned in previous post). I've attached a new gmer log.

Thanks,

Attached Files

  • Attached File  ark.txt   1.58KB   3 downloads

Edited by chowder87, 15 August 2010 - 02:37 AM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:12 PM

Posted 17 August 2010 - 12:27 PM


welcome.gif to the Bleeping Computer Malware Removal Forum
, My name is Elise. I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
Please be patient and I'd be grateful if you would note the following:
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 chowder87

chowder87
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 28 August 2010 - 02:43 AM

Thanks for the reply. Sorry for taking so long to get back (I was on vacation).

I ran the combofix on my machine, but could not download the Windows Recovery Console with it as I still don't have internet access (I downloaded the combofix on another laptop that was perfectly clean, but didn't want to take risks with turning off its firewall to download the recovery console). I didn't pay much attention to the scanning process, but my computer had to restart at some point... just want to make sure that was normal.

Attached is the log that was produced.

Thanks.

Attached Files



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:12 PM

Posted 28 August 2010 - 04:18 AM

I hope you had a nice vacation! smile.gif

Before continuing; your combofix log shows you have a lot of open ports; do you need all those? Otherwise its a lot safer to close them.

As for your connection, can you give me a bit more details on how you connect to the internet?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 chowder87

chowder87
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 28 August 2010 - 11:36 AM

I don't know what a port is. How do I close them?

Currently I connect to internet via wireless network on another laptop, as I did with my own laptop. I disabled the wireless receiver on the affected laptop because i'm paranoid about getting more viruses through it.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:12 PM

Posted 28 August 2010 - 01:37 PM

Lets first close all ports with a script, then connect the computer to the internet and let me know how things are.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"33908:TCP"=-
"49821:TCP"=-
"51418:TCP"=-
"10380:TCP"=-
"14618:TCP"=-
"65336:TCP"=-
"44223:TCP"=-
"23822:TCP"=-
"15388:TCP"=-
"6125:TCP"=-
"21387:TCP"=-
"5812:TCP"=-
"26321:TCP"=-
"18387:TCP"=-
"55079:TCP"=-
"56095:TCP"=-
"23266:TCP"=-
"34828:TCP"=-
"39991:TCP"=-
"60906:TCP"=-
"39266:TCP"=-
"11711:TCP"=-
"64861:TCP"=-
"62168:TCP"=-
"5661:TCP"=-
"43911:TCP"=-
"19981:TCP"=-
"23442:TCP"=-
"39008:TCP"=-
"30031:TCP"=-
"35325:TCP"=-
"14453:TCP"=-
"33556:TCP"=-
"55113:TCP"=-
"42860:TCP"=-
"12220:TCP"=-
"18409:TCP"=-
"33759:TCP"=-
"7225:TCP"=-
"32524:TCP"=-
"32656:TCP"=-
"35708:TCP"=-
"26184:TCP"=-
"20790:TCP"=-
"60852:TCP"=-
"43786:TCP"=-
"18073:TCP"=-
"11100:TCP"=-
"20311:TCP"=-
"23530:TCP"=-
"23028:TCP"=-
"58305:TCP"=-
"12845:TCP"=-
"9429:TCP"=-
"42385:TCP"=-
"48482:TCP"=-
"7658:TCP"=-
"40470:TCP"=-
"54803:TCP"=-
"27845:TCP"=-
"63766:TCP"=-
"39548:TCP"=-
"20506:TCP"=-
"58078:TCP"=-
"60618:TCP"=-
"64509:TCP"=-
"45743:TCP"=-
"28411:TCP"=-
"24880:TCP"=-
"13336:TCP"=-
"37422:TCP"=-
"44297:TCP"=-
"48935:TCP"=-
"9977:TCP"=-
"32017:TCP"=-
"10297:TCP"=-
"10656:TCP"=-
"11415:TCP"=-
"45430:TCP"=-
"47868:TCP"=-
"22782:TCP"=-
"40981:TCP"=-
"49352:TCP"=-
"32942:TCP"=-
"62188:TCP"=-
"44978:TCP"=-
"7303:TCP"=-
"39168:TCP"=-
"53317:TCP"=-
"25903:TCP"=-
"40605:TCP"=-
"37895:TCP"=-
"40866:TCP"=-
"32415:TCP"=-

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 chowder87

chowder87
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 28 August 2010 - 06:36 PM

Here's the log generated from the CFScript thing, please see attached.

Thanks.

Attached Files



#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:12 PM

Posted 29 August 2010 - 04:17 AM

Hi, please rerun DDS and post me attach.txt

Also, how are things running now? Please connect your computer and look around a bit.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 chowder87

chowder87
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 29 August 2010 - 06:49 PM

The DDS script still only gives me a notepad document full of random symbols with "This program cannot run in DOS mode". Still cannot connect to internet.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:12 PM

Posted 30 August 2010 - 03:52 AM

No problem, lets just use another scanner. smile.gif

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 chowder87

chowder87
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 30 August 2010 - 03:06 PM

Please see attached. Thanks.

Attached Files



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:12 PM

Posted 30 August 2010 - 03:47 PM

Hi, you're quite low on disk space. Please try to free up some space by moving away personal data and uninstalling unnecessary programs.

UPDATE JAVA
------------------
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 21 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.



MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 chowder87

chowder87
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 30 August 2010 - 05:11 PM

I installed the new Java, but did not install the Malwarebytes thing yet, because I still can't connect to internet.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users