Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

web pages diverted - dns is ok - all tcp services not functioning


  • Please log in to reply

#16
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP
Doesn't sound like malware. Just changing the host file to French and uncommenting the localhost won't do anything for malware.

You posted the Application log twice. Could you post the VEW System log?
  • 0

Advertisements


#17
donchandler

donchandler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
The last thing I did was run the log viewer a half hour ago or so. Now, all of a sudden it is working properly.
  • 0

#18
donchandler

donchandler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I reran VEW after it started working. Files attached.

Attached Files


  • 0

#19
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP
Logs aren't showing much besides a lot of printer errors. There was a warning about your StorageCraft service that was a bit odd. Let's look at it a bit closer.

Get Process Explorer

http://live.sysinter...com/procexp.exe
Save it to your desktop then run it (Vista or Win7 - right click and Run As Administrator).

View, Select Column, check Verified Signer, OK
Options, Verify Image Signatures


Click twice on the CPU column header to sort things by CPU usage with the big hitters at the top.

Wait a full minute then:

File, Save As, Save. Open the file Procexp.txt on your desktop and copy and paste the text to a reply.



Does your AdAware anti-virus come with its own firewall? Is there some reason for using it in particular?
  • 0

#20
donchandler

donchandler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Storage craft is part of a backup system - it should be ok.

there is an external hardware firewall, not using software firewalls.

corrupt host file may not do anything FOR malware, but something had to change it - in my mind anything that changes system files unexpectedly is not good, hence malware.
  • 0

#21
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP
Run Process Explorer anyway. It may show something the other scans missed.

When the web pages get diverted where do they go?
  • 0

#22
donchandler

donchandler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
i wish i knew. same with ftp and telnet - packets seem to go out ok, but never come back.

i'll run procexp, but will probably be tomorrow

thanks for your help
  • 0

#23
donchandler

donchandler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I tried to run the full aswmbr scan and it failed. I've attached a screen shot of the fail message, and a screen shot of event viewer. I also ran combofix and it found and replaced a corrupt atapi.dll, log attached. Finally, I've attached the procexp log.
Thanks

Attached Files


  • 0

#24
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP
Can you find the file atapi.sys that combofix removed and submit it to virustotal.com? It usually gets renamed to atapi.sys.vir and should be down in C:\qoobox\quarantine\c\windows\SysWow64\Drivers\atapi.sys.vir

The file had a good checksum when we ran OTL. I'm wondering if it got recently replaced by malware, the malware lied to us, or if the hard drive just saved/read it incorrectly.

Let's run TDSSKiller again
but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Not sure why aswMBR failed. It sometimes crashes when you check the trace button which is why I have people uncheck it but it usually works OK on a full scan. Would it be possible to uninstall your current anti-virus and replace it with the free Avast? http://www.avast.com...ivirus-download
Download, Save, and right click and Run As Administrator.

Then we could have it run a boot-time scan which usually finds anything bad on a PC. (I usually suggest running it while you sleep so that's why we mute the speakers)


First mute the speakers so it won't wake you up when Windows loads. Click on the Orange ball. Click on Security. Click on AntiVirus. Scroll down to the bottom and find Boot-time scan. Click on Settings. Where it says Heuristic Sensitivity click on the last rectangle so that all of them are orange and it says High. Then change When a threat is found ... to: Move to Chest. OK. Now click on Schedule Now. Close the Avast window and then reboot. The scan will start. It will tell you where it will save the report. Usually it's
C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt but it might change so verify the location. When Windows loads Click on the Orange Ball then Maintenance then Scan Logs. Click on the Boot-time scan log and then View Results. IF it found anything then open the saved Report and copy and paste the text into a reply so I can see it.
  • 0

#25
donchandler

donchandler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Ron,
Thanks for your prompt reply! I did run aswmbr with trace turned off. I'll follow your other steps, but it will probably be the weekend before I can.
Thanks again
Don
  • 0

Advertisements


#26
donchandler

donchandler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
The removed atapi file was not in qoobox.

Ran tdsskiller again with the additional options, log attached, found nothing.

I did remove the other AV. Ran boot time avast scan, log attached. I ran the two SAAZ files on virustotal.com and they were fine. (SAAZ is part of managed services software I have on this machine.)

Attached Files


  • 0

#27
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP
I don't see any sign of an infection. I suppose it's possibly you have a worm in your network that gets on when you connect this PC to the network but it's not leaving any traces that I can see. Smells like corruption - either the hard drive - which we know is getting sick or the RAM. Have you run the builtin RAM test?

Any chance of replacing the hard drive? It's going to need to be done soon anyway.

Got to go into town now. Going to be off-line for an hour or two.
  • 0

#28
donchandler

donchandler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thanks.

I ran GMER, and it ended up shutting the computer down before I could see the results. Error message on reboot attached.

I will run the RAM test. Not sure about replacing the drive - I'll look into that.

Thanks again

Attached Files


  • 0

#29
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP
Does this PC have all of its updates? It's possible that if you do have a network worm that it is the only one which is still vulnerable because it is missing an update.
  • 0

#30
donchandler

donchandler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Good point. I think so, but I will double check.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP