Zief.pl

[So_sad]

Hi jjj,

 

First off, thank you for the detailed info. I'm having a busy day around here and won't be able to sit down for another few hours.

 

I had the manuals for both the router you have and the other one (blue). I think they have two versions, depending on where you live on the planet lol.

 

Just one little thing : you scratched out the DNS numbers from that last screenshot, but I'd really like to know what they are ; you can PM me if you wish.

 

When I get back in a few hours, I'll look over every log and let you know what you should do next.

 

;)

 

=====

[So_sad]

Ok, I'm back.

 

jjj : referring to that last screenshot again (from the "Status" tab)... If both DNS IPs point to your ISP, then it's Ok. If they start with "213" or "93" or "85", then we may have a DNS hijack problem. However, I don't see any evidence of it anywhere else. Not in Windows settings nor in the router's settings. I don't like that, because I was kinda hoping it was just going to be a classic DNS changer...

Just for prevention though, I'd like you to make sure your router has a password other than default, which is "admin". Same thing for the default Username, which is "admin" also. These need to be changed, from the "Administration" tab. Set your own Username and Password. We all need to do this with our routers anyway, because hackers and malware coders use these default settings to jump right into people's routers... That's how DNS changer infections do it.

 

I had a look at your OTL log. Nothing jumps out as far as malware, but this type of tool can't detect viruses directly, especially not one like Virut. So I'm afraid we'll need to look for Virut now ; maybe it's not there, maybe it's just partially there, but we need to rule it out before we look anywhere else.

 

jjj : you have a lot of drives and/or partitions on that machine. When you make images of your system, is it only for the system drive (C:\) ?

I'm asking because Virut can easily jump to other drives and partitions ; it depends on what you have on those drives and if the system needs to access them. For example : if I have my system (Windows) on "C:\" and then I install programs on another drive or partition (let's say "E:\"), then a file infector like Virut would immediately infect .exe files of a program launched from "E:\". Now, if I re-image my system drive only ("C:\"), that means I soon as I launch one of those programs on "E:\", Virut jumps back into the system, and does it real fast.

 

Virut infects .exe, .scr (screensavers), .htm, .html, and .php files. It injects these files in such a way that Windows cannot even protect its system files and cannot warn us about the injection. Further more, these injected processes still operate, so machines don't crash like they did with earlier Virut variants. When you attempt to disinfect a machine, all injected processes must be cured in one pass, or else it starts all over again. Worse, this thing lives in memory and changes, so removing it is extremely difficult and often impossible without a complete format (and only clean backups made).

 

I'm done with the scary stuff for now. Let's look at a few files.

Please go to VirusTotal and have these files from your machine analyzed, one after the other :

http://www.virustotal.com/

 

>> If you get a message that the file has already been analyzed, then please click for a new analysis.

 

C:\Windows\explorer.exe

C:\Windows\System32\winlogon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\userinit.exe

If you get any detection (Virut) on any of them, please let me know. Just bookmark the VirusTotal page from the analysis (with detections) and post the link here.

 

I could have you run more tests right away, but we'll go slow and make sure we don't do anything unneeded or silly.

 

Edit to ask another question : jjj... which antivirus are you using ??

 

Good luck ;)

 

====

[itsmejjj]

thank you for all of this..yes the ips are ok..now send me a small pm.and i can answer you.with the de-tales of my router..reason i scratched them out i did not want the whole form peering at my isp ,ok we just got up .and a lot of reading.pondering..

1 the small drive contain drivers.back up,and read me files.in different drives.thy are 3 usb drives.and i am about to add 1 more 2TB drive.that i shall do as soon as this is sorted out..

.that will be splitt,4 ways..

ok so i now do the tests...

jjj

[itsmejjj]

ok here is what i have done downloaded http://www.kaspersky.com/virusscanner scan

as the site i am having problems with up loading my system will not allow it

so a scan with there tool cleared me

on all drives

 

i think you said thy are the best to use so i may even download there virus app ?

and run it..what you think?

saves a lot of mucking around..

 

jjj

[scrd01]

30 30 30 router reset

 

might be usefull but not sure if you use the 30 30 30 method turn off comp, turn off router for minimum 30 seconds,

 

the router resets to original factory default settings,

 

obviously you will have to update any firmware changes, and change the default password.

 

might help

 

Roy

[itsmejjj]

yes thank you i have done that ..and reentered my de-tales..

many thank for the tip tho!

jjj

[So_sad]

Hi jjj and scrd01,

 

scrd01 : as far as I can see, the router is fine.

 

jjj : I was going to have you run VirutKiller, so it's a good thing you did. That pretty much tells us that the virus isn't active, which is great news :-)

Unless it is a brand new variant, unknown to Kaspersky, which does happen sometimes.

 

Not having an antivirus is risky business, especially when something like Virut shows up. Kaspersky antivirus is one of the best out there and has been for years, but they have no free version... If you decided to go with a free one, I'd suggest AntiVir (Avira) or Microsoft Security Essentials.

If you'd like to see if Kaspersky antivirus finds anything, you can run their free antivirus tool named "Virus Removal Tool 2010" :

http://support.kaspersky.com/viruses/avptool2010?level=2

 

That tool contains the whole Kaspersky database and it's a big download (~70 Megs). Once the scan is over, it will prompt you to uninstall. It does not have an updater or shields, so no reason to keep it.

It will ask you to scan from Safe mode, but that's not necessary in your case, so you can do it from Normal mode.

 

Last question : did you change any settings in the router before you took those screenshots ? I'm asking just to be sure. Now if you turn the DNS service back on today, do you still have the problem with those requests ?

 

I'll be here a bit today, so let me know if you have any questions about that Kaspersky tool.

 

===

[itsmejjj]

first of all i want to thank you again..why. this has help me think calmly and reassure me

 

ok i been flat out till now and you guessed it the blasted VURIT! yes there were on the usb drive several traces.ok i ran the kv.tool 3 times and it got into the drive and cleaned what it could find..

ok some shots i could not take ..

but there is more i installed kv full working version..let it do its thing 3 hours scanning..it finally cleared my drives..

 

now i reinstalled my one ..F-secure..and ran that..stupid of me to uninstall it a while back..

but here is a thing.

a file call Mcbuilder no exe behind it..

.330,odd k was sitting on the 32 system could not rid it.

and one called pddrv.exe. 40 k from memory..

 

 

as the virus rebooted to clean it .it was still there .booted into safe mode,

fiscally i killed it

the 2,,

 

ok we are now i think clean ,but this cost me a lot of app as the kv.and the killer destroyed parts of them. then I decided to format 200 odd gig of apps!

flecks it..bad luck and a lesson ,for any one..

ok something got in ,Bad luck it happens..i did save 400 odd gig of apps that were fine and passed..clean..so now we sit back a few days and keep at it..

 

i shall in a few days try dns service and see how we go..

but let me say this ZIEF sever did the damage..some how i got tangled into there links..

 

any how finaly the program is still and not complaining,only thing it now has to learn my apps..and this is a bit of a pian,,,

 

 

i confess i hate virus programs,but let me say this never agian run without a good one..

i am considering Kv to perchance it ? but am happy with f-secure...fully up to date ..

 

 

itsmejjj

 

 

.

 

never mind..

[itsmejjj]

Mcbuilder no exe behind it..

 

yes i forgot to say .you posted how thy jump about .well this one i shifted(safemode) to a screwdriver encase it was part of the OS..and as soon as i took alook see if the scanner killed it .guess what the app went into silly mode,and every thing stopped.then it F-secure, piped up asking you want to kill it..i said yes ! but after a reboot its on the other drive!!!!

 

like chasing a kid about..so we headed it of at the pass..was kind of funny..

 

i have them in a image file. Back up .i will not open it in case thy take of again..

but i shall move them to a cd..the image..

jjj

[itsmejjj]

ZIEF net works well if you the reader google this if not already thy are very bad to get tangled with..

in 98% cases not your falt..if browsing about...its just thy are there.and depending where you link to its possible to link..

 

now thy if you have read on this crowd are and will infect your system,unknown to you.

you may want to investigate there ip numbers that are blacklisted.ad them to block..

 

ok at last we are free of them...!!with the help from members and So sad..

i rid them.i still do not know what it was bar VIRUS related....Vurit mostly..

i did be leave it was gone.well its gone now...ok if you read the posts the thing i suggest id get 2 apps

as posted by So said...

 

one vi-rut killer

and kv free virus scanner..no matter what you run.virus program wize..

kv also has a online scan .very good indeed..or use the one suggested by so sad

 

ok i have and did not know munch about this.not my thing..but wiser now..

and will scan every thing again later on..

 

to be sure this takes a long time ...

i have decided to install kv and keep it..you get 30 free days..and then must pay for it..

 

probably worth the cash...its been a bad week .but a good learning curb...

 

 

 

 

 

and thanks again..to all ...

itsmejjj

[wozofoz]

Good news

 

Sorry to hear about the loss of 200 GB of apps but it's great news that you are rid of that horrid nasty.

 

Well done jjj for keeping calm and following instructions and well done to all especially So sad for the help :smile:

 

It's been an interesting thread

 

All the best, woz of oz

[itsmejjj]

well dear friends its now clean.after rescanning.(safe mode) modem of.it cleared all my personal pc!

 

now this kv is a very different thing.i had to adjust some filters and app

it dose not like my proxco..as it regards it as malicious ,behavioral app.

and i understand why..so we gave it full run excluded it from running

 

ok so sad i have posted a few caps Again and is this correct setting?

 

please take a peek and let me know..

 

i cant keep say this Enoch THANK you my frieds!!!

 

itsmejjj

[So_sad]

Hi jjj :smile:

 

I had a busy day yesterday, so I couldn't make it back here.

 

Well that's good news ! 8:)

 

In a way, you were very lucky... because most folks who get infected with Virut don't have a clean image of their system to revert to, so they need to reformat the system drive, and sometimes all drives and partitions. We also see some folks who re-format and get Virut jumping back soon after, because they put infected backups back in, or connected an infected external drive (or USB stick) without scanning it first.

 

Too bad for all those apps you destroyed. If I had been there next to you, maybe we could have saved them, but then again maybe not. Fact is, the Kaspersky tools (VirutKiller and Virus Removal Tool) and the full antivirus don't delete or quarantine Virut injected files, they disinfect them usually, unless they are really corrupt. Once the files are disinfected, they can be used again. The only files that are deleted are the ones known to be infectious from the start (not legit files), and the badly corrupt legit files. But... even with all the Kaspersky tools running, you often cannot remove Virut completely. You were able to re-image and then block off further installation of Virut and other malware (from Zief.pl), which saved your a$$ (lol). Virut came back because you had infected files on other drives which weren't replaced with the clean image (not on the C:\ drive). Virut loves external drives and puts Autoruns there, so as soon as you re-connect them... boom...

 

One thing I've learned over the years : when playing with malware, you need a virutal machine (Virtual PC, Virtual Box or VMWare) or, even better, a dedicated computer used only for that purpose. A test machine shouldn't have any personal stuff on it and only one partition is best, because you can re-image cleanly without the worry of having other partitions or drives infected. Re-image to an external drive that you keep disconnected from the test machine. I never handle malware from my regular machine. If you ever want a test machine, you can go with an older, cheaper one.

 

One little thing concerning the Kaspersky Virus Removal Tool : it will not install on a machine that has Kaspersky antivirus or their Internet Security Suite on it ; they use many of the same modules and Kaspersky decided to not allow both on the same machine. That's Ok, because the antivirus has the same detections, same cleaning power and offers shields too. If you ever want to run a good free antivirus tool again, you can go with Dr.Web CureIt, which is also very good with file infectors (Virut, Sality, etc...).

 

About your Kaspersky settings and that "Operating System Kernel Modification" option ; I don't use KAV at the moment so here is what I've found :

http://forum.kaspersky.com/index.php?showtopic=83544&st=0&p=750700entry750700

The "You're at risk" seems to be there because you were in Safe Mode ; antivirus programs don't protect much in Safe Mode.

 

I'm kinda glad you've switched to Kaspersky, because I don't really like F-Secure. Although I've never used it here, I can tell you they don't do real well with new infections. It may be user friendly for you and may suit the needs of those who don't experiment, who are at low risk of infection... Kaspersky is more intrusive, because it reaches further down to protect, but it also has one of the best databases ever for current malware, which is what you need. It's not 100% garanteed it will protect you from everything, but it helps.

 

I may soon exceed the post limit here, so I'll stop :wink:

 

====

[itsmejjj]

block off further installation of Virut and other malware (from Zief.pl), which saved your a$$

 

yes ,using a port blocker like bee think did it as well as peer blocker

i use this for this propose.to stop any unknown query's,that i always watch(log)

plus the in build http blocker is a help..but now its normal links that query

one has to allow this.

bit like knocking on the door and answer yes.or don't answer at all...

 

i think many have no idea this happens,linking unknown to them .Google yahoo,go daddy,zief,and many more,some legit,and then the rouge links,

one cant stop them unless blocking the query ip itself...(You agree?)

 

and a daunting task as one has to add them manually(ips)

 

one can down load ready spy.malawere known ips.and keep them up to date..

 

but that's no garroter you would block all..so one needs to watch ips that look sassy,

 

but this AV is very good and fast,missing nothing...no slow down bar the booting of the system

after that no difference in speed..

i do hope this is not boring..to readers...let me say i am now convinced,

 

run it use it..KASPER SKY is far the best i have used...

but one has to pay for it this is why i have been reluctant to use it..the only reason.

 

i advice as SO sad .try it you get 30 days and save;s a lot of grief

if it finds a download that has a virus DO NOT DOWNLOAD it

no matter how temping..what ever it is..if its a virus attached and you get the warning Then Simply do not risk it..no matter what...

itsmejjj

[So_sad]

Hi jjj,

 

For the average computer user, using a firewall - not the Windows one - can be a daunting task. People can't be bothered with constant prompts for this and that... queries, applications, etc... Can't be bothered or they just wouldn't know what to do, where to look for info, etc... It's not easy, doing what you do, and one needs to care and have time to research.

 

A lot of folks who get infected download stuff they know they shouldn't get close to, but the temptation often outweighs wisdom. Worse, many simply disable their antivirus and ignore firewall warnings when downloading "stuff". Those who get infected with protections "ON" may simply have gotten a new variant of something, undetected in the first 24-48 hours in the wild, or they simply have a not-so-good antivirus.

 

Virut installs a backdoor deep into the system (on the system drive) and then goes about downloading all kinds of other malware. When you re-imaged the system drive, you knocked out the backdoor and got clean executables back in. You had all your blockers in place, so when you re-connected the infected external drive, you were successful in stopping a full Virut installation again. The backdoor was trying to connect, but you saw it and stopped it, and then you and I started having some fun together ;-)

 

The only question I can't answer is : why did Virut install in the first place ? It didn't take much, just one "Allow" somewhere, sometime during the process is all it took, probably, and it could have been for something not that scary looking. With no AV onboard, your chances of blocking the spread were slim to none, considering how fast viral files replicate themselves. We don't have that many real viruses ou there anymore if you compare with, say, 5-6 years ago. Mostly trojans and rootkits now, found on P2P networks and crack sites. Fake video files, streaming apps and codecs, too. Much fewer email and instant messaging worms.

 

Gotta go, so lastly : I'm just glad I could help ;-)

 

Be safe out there, to all reading this.

 

===

[itsmejjj]

well i got to thingking i should run it ... about the drives and the possibility of bits left on it....

guess what..

i ran DR web the new one ver 6..

 

-----------------------------------------------------------------------------

Scan statistics

-----------------------------------------------------------------------------

Scanned: 187638

Infected: 559

Modifications: 0

Suspicious: 0

Adware: 2

Dialers: 0

Jokes: 0

Riskware: 0

Hacktools: 0

Cured: 546

Deleted: 0

Renamed: 0

Moved: 8

Ignored: 0

Scan speed: 365 Kb/s

Scan time: 1:49:22

-----------------------------------------------------------------------------

 

=============================================================================

Total session statistics

=============================================================================

Scanned: 187787

Infected: 559

Modifications: 0

Suspicious: 0

Adware: 2

Dialers: 0

Jokes: 0

Riskware: 0

Hacktools:0

Cured: 546

Deleted: 0

Renamed: 0

Moved: 8

Ignored: 0

Scan speed: 366 Kb/s

Scan time: 1:49:39

=============================================================================

 

 

well this took a while but we got the lot now..!

 

this program is different to any thing i have used..it takes over the pc.in

protect enhanced mode....

 

then you select what to scan..i could not take shots..

 

jjj

[So_sad]

Hi jjj,

 

I had not seen their new version yet. Former one was just about 14MB in size, while this one is 48MB (Kaspersky tool is much larger though).

I'm doing a scan in Protected Mode right now (Cool !).

 

Did you not have an option to save a log file at the end ? I'll see what I can find out once the scan here is over. Do you remember what those detections were all about ? Was it "Virut56" ??

 

See you later ;)

 

===

[So_sad]

Darn, the scanner didn't find anything infected on my test machine... Truth be told, I haven't run malware on it recently, and Fredvries' little Beta tool for FF wiped most of the malware backups I had on the machine LOL.

 

Anyway, this tool is very similar to the previous version, but it is a bigger download (3X the size). Not a problem for the majority who have high speed connections.

The older one did a "Quick Scan" first, and then prompted for the full scan if it detected anything. This one offers an "Express Scan" and then the full scan if it finds anything.

This new version is no longer named "CureIt!", but "Dr.Web Scanner for Windows". The info and download pages still say "CureIt!", but we don't see that name once the new tool is launched.

 

jjj : the scan results you posted seem to come from a log created by the tool... Did it not list any of the nasties it found ? To save a log from this CureIt tool, you click on the "File" menu and then "Save report list". I can't save one right now because I have zero detections...

 

I'll see if I can put some nasties on the machine soon, so I can do a full scan.

 

===

[itsmejjj]

"Virut56" ??

yes win 32.virut 56 and win 32 virut...

 

but most were 56...sort of felt like sending in the clean up men..flush out the rats.! well i did run Aver but was disappointing.all it did was lock up files.and not clean...and rendering my os unusable..so a reinstall (image)

fix this then i used dr web..at last using KV and this one i am very confident

i got it all,i am tired now of this and do this again in a few days..

the pc is beautiful,and fast ,and i am sure i did get it all.

cost me,but well one cant have this junk ,and no more funny stuff running..

itsmejjj

 

yes mate the log file is a mile long..i had a fast look gee it did a job!

[So_sad]

Sorry for the multiple posts :

 

jjj : looking around the settings, it says you should have a log file saved at :

 

%USERPROFILE%\DoctorWeb\CureIt.log

 

That would be something like this, on your W7 :

 

C:\Users\<your account name>\DoctorWeb\CureIt.log

 

Let me know if you have a full report (here or you can PM me as well).

 

Thanks

 

===

[So_sad]

Sorry jjj, I was writing my post (above) and didn't see yours before I submitted mine.

 

mile long log ? Yeah, that makes sense, with over 560 detections...

 

"Virut56" is the current family of Virut : polymorphic... and Kaspersky knows it well, too (they call it "Virut.CE"). I'm curious as to why KAV didn't pick all those up.

 

Yes, do scan again in a few days... with fingers crossed...

 

===

[itsmejjj]

ok i do that but i am so very tired now..spending 4 days at this..almost non stop..

i take a rest.and A bit to much and catching up..its day light

again! .....

jjj

[So_sad]

Yes, it's me again :mrgreen:

 

"Virut56" ??

...well i did run Aver but was disappointing.all it did was lock up files.and not clean...and rendering my os unusable..so a reinstall (image)

Hi jjj,

 

Did you mean "Avira" ? Could be. This is why we always prescribe Kaspersky and/or Dr.Web, because many antivirus programs can't handle Virut properly, and will either quarantine or delete infected files found... Can't do that with Virut, because system files are infected, so if you quarantine or delete system files, ya know what happens next : disaster = dead machine...

 

===

[itsmejjj]

Did you mean "Avira" ?

 

yes : gee i got to get some sleep!

 

ok I am trying the New Dr web..i downloaded the free package.and installed.it

65 meg i think...

 

 

what i did do when the app aasked me about a fire wall,and Av

 

i anserd non...i did have my own fire wall,but let it install

its apps..

 

then using IOBIT uninstaller rid dr web fire wall.(did not like it.

 

but the rest i am happy with..i prefere my LookNstop fire wall

 

why did i decide to forgo KV -it fialed to pick up all the virus bits

 

DR web missed nothing and was very kind to the Files..

 

think on this.

 

1641020 files 560 OD were infected.that others missed,

scanned 4 times failed to remove 3 ,i had to go into safe mode and kill them my self...

then thy cleared me of viruses...and got A+ clean vacationer...paper..(log)

any how:

all i lost were 8..sadly 200 gig, ,That were distributed,by the viruses to other apps..

 

but Dr web was kind,

and my OS fully in tacked...

i used Norton,KV.Alvira, and AV thy failed ...half a dozen other apps saw nothing

and i was confident i was ok..turn out far from the truth,

 

DR AV fixed every thing ,yes it was slow.and painfull..but saved my system,

and this is not a add for them but a top AV application...for me anyhow...

the free tool is a must have!if using a other AV..will not matter..

but now as i have it installed i don't need it now..if i decide to fork out for it..

and so far its looks like a winner..KV yes its good and popular ,but that is all

 

my system was dirty.choking with virus,and had 560 rats wandering about!

i still cant be leave it ran so well.

now its the way it should be...NO rats to be found.perhaps 1 or 2 may still be there? but i bet

thy will sit still.not dare to move.

 

i be leave as i know very little about virus apps i will say this ,its the best

of the best.This missed nothing!

 

now as a back up to i obits apps.i should be fine..and covered properly??

What a week its been..but this is my last on this..

and i thank IOBIT forum for allowing me my expressions.and postings..

and thank you all ,readers and helpers..and you who took a interest in a old mans dilemma

and many thanks to the admins...and SO sad your a champion..!!

 

 

itsmejjj

[So_sad]

Hi jjj,

 

I wish I could tell you that Dr.Web antivirus is a top performer, but I can't. Most comparatives out there don't even include Dr.Web in their lineup, so there is little info out there as far as how it might do compared with the top players. I'm also not a big "comparatives" fan, because many of those tests are biased, one way or the other.

 

I've used Dr.Web for years, but just the "CureIt" tool, because of its capabilities against file infectors like Virut and Sality. The AV has the same detections as CureIt of course, but I don't know how good it is against all families of malware. But the Russians are known for their skills when it comes to antivirus programs (Kaspersky for example).

 

One of the biggest complaints I've read over the years concerning Dr.Web had to do with too many false positives. This may have improved a lot since.

 

Concerning Kaspersky and those missed detections that Dr.Web got : it's tough to say without looking at the logs and files themselves. Virut changes on us almost every week, because the bad guys want to evade detection, so it's not rare to see Kaspersky miss one variant for a few days and then correct it as soon as they get samples at the lab. Same thing with Dr.Web.

 

Anyway, you have a month to try it out and see if you like it. I won't tell you to change because I simply don't know enough about it and can't find updated info on their new version from independant testers. Let us know how it goes...

 

 

====