Nasty virus!

nuley · March 5, 2010

Dear friends

Once again I have a nasty virus which starts off with a 'scan' running of alleged Antivirus 2010 Security and picks up various viruses. It then hijacks the internet browser and nothing works.

Virgin pc security has picked up Trojan.win32.Fraudpack.anqq and Win32inject.anny.

I noticed a Browser choice shortcut icon on the desktop and have removed the exe from system and bin, and that's how I've managed to finally get here as we've not been able to access internet for a couple of days.

But I expect it will come back! Please could you advise what next?

Thanks very much for your valued (as ever!) help.

Nuley

Starbuck · March 6, 2010

Hi nuley

Step 1

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1

Link 2

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

This is an example, you may rename ComboFix to anything you want.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
For more information read:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Then:

Double click on Combo-Fix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
If running Vista, you may not see this screen
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks

nuley · March 6, 2010

Thanks very much for this.

I've saved Combo-Fix.exe to desktop as an application but when I try to open it, a dialog box pops up asking what application I want to use to open it with, as it seems to think it's a file. I resaved it and double checked it was saved as an application, but same problem occured. What should I do?

Thanks again

nuley

Starbuck · March 6, 2010

Right, it would seem that the malware has effected files with an .exe extension.

This is becoming quite common.

You could try altering the combofix extension to .com ( it should still run) but failing that

Try this:

Please download exeHelper to your desktop.

If your AV program throws up a warning about the program, ignore the warning. Some AV's flag this program because of how it works... that's all.

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt ( Will be created in the directory where you ran exeHelper.com and should open at the end of the scan)

Note : If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together ( they will both be in the one file ).

Thanks

nuley · March 7, 2010

Thanks for this, combo-fix.com ran OK so I didn't have to do the exeHelper stage. It did query how to open ie.exe but it seemed to go away when I cancelled it.

Here's the log:

ComboFix 10-03-06.06 - John 07/03/2010 9:48.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.751.426 [GMT 0:00]

Running from: c:\documents and settings\John\Desktop\Combo-Fix.com

AV: PCguard Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}

FW: PCguard Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\John\Application Data\wiaserva.log

c:\documents and settings\John\Local Settings\Application Data\{4D05995A-1EB2-4DC9-A2FE-7E263FB17580}

c:\documents and settings\John\Local Settings\Application Data\{4D05995A-1EB2-4DC9-A2FE-7E263FB17580}\chrome.manifest

c:\documents and settings\John\Local Settings\Application Data\{4D05995A-1EB2-4DC9-A2FE-7E263FB17580}\chrome\content\_cfg.js

c:\documents and settings\John\Local Settings\Application Data\{4D05995A-1EB2-4DC9-A2FE-7E263FB17580}\chrome\content\overlay.xul

c:\documents and settings\John\Local Settings\Application Data\{4D05995A-1EB2-4DC9-A2FE-7E263FB17580}\install.rdf

c:\documents and settings\John\Local Settings\Temporary Internet Files\Bola8LY7.jpg

c:\documents and settings\John\Local Settings\Temporary Internet Files\NxKmx1pj.jpg

c:\documents and settings\John\Local Settings\Temporary Internet Files\x0BaMJ.jpg

c:\documents and settings\John\Local Settings\Temporary Internet Files\Y35b1.jpg

c:\windows\msasds.dll

c:\windows\system32\lowsec

c:\windows\system32\lowsec\local.ds

c:\windows\system32\lowsec\user.ds

c:\windows\umotuqoleziba.dll

.

((((((((((((((((((((((((( Files Created from 2010-02-07 to 2010-03-07 )))))))))))))))))))))))))))))))

.

2010-03-07 09:48 . 2010-03-07 09:48 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS

2010-03-05 17:01 . 2010-03-07 09:39 120 ----a-w- c:\windows\Bmimu.dat

2010-03-05 17:01 . 2010-03-07 09:39 0 ----a-w- c:\windows\Bxelanulamo.bin

2010-02-26 16:52 . 2010-02-26 17:09 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Temp

2010-02-13 13:22 . 2010-02-13 13:22 58552 ---ha-w- c:\windows\system32\mlfcache.dat

2010-02-07 13:52 . 2010-02-07 13:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-02-07 13:47 . 2010-02-07 13:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-07 10:04 . 2009-07-20 09:04 36078368 --sha-w- c:\windows\system32\drivers\fidbox.dat

2010-03-07 10:03 . 2009-07-20 09:03 631584 --sha-w- c:\windows\system32\drivers\fidbox2.dat

2010-03-07 10:01 . 2009-07-20 09:03 61256 --sha-w- c:\windows\system32\drivers\fidbox2.idx

2010-03-07 10:01 . 2009-07-20 09:04 485216 --sha-w- c:\windows\system32\drivers\fidbox.idx

2010-02-13 11:29 . 2009-07-19 12:48 -------- d-----w- c:\program files\iTunes

2010-02-07 13:46 . 2008-09-16 14:34 -------- d-----w- c:\program files\Google

2010-01-19 20:00 . 2009-04-02 16:09 -------- d-----w- c:\program files\Microsoft Silverlight

2010-01-13 19:49 . 2010-01-13 19:49 -------- d-----w- c:\program files\Disney

2009-12-31 16:50 . 2002-08-27 11:43 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14 . 2004-01-08 15:23 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-16 18:43 . 2002-08-27 11:58 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2002-08-27 11:43 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:27 . 2002-08-27 11:43 2189184 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2001-08-17 13:48 2066048 ------w- c:\windows\system32\ntkrnlpa.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-16 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-07-04 188416]

"VCSPlayer"="c:\program files\Virtual CD v4 SDK\system\vcsplay.exe" [2002-06-07 299008]

"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digimax Viewer 2.1.lnk - c:\program files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe [2006-5-16 634880]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [03/01/2010 13:25 28552]

R1 vcsmpdrv;vcsmpdrv;c:\windows\system32\drivers\vcsmpdrv.sys [17/03/2003 17:03 49232]

R3 CVIAAUD;NEC VIA 3D Environmental Audio;c:\windows\system32\drivers\cviaaud.sys [01/01/1980 320864]

R3 CVIAHALA;CVIAHALA;c:\windows\system32\drivers\cviahal.sys [01/01/1980 214688]

R3 DUBE100B;D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter;c:\windows\system32\drivers\DUBE100B.sys [28/04/2007 09:30 18560]

R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys [14/11/2008 17:28 161304]

R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys [14/11/2008 17:28 29720]

R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys [14/11/2008 17:28 27376]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [07/02/2010 13:47 135664]

S2 ImapiServiceCOMSysApp;IMAPI CD-Burning COM Service ImapiServiceCOMSysApp;c:\windows\system32\amr_cpli.exe srv --> c:\windows\system32\amr_cpli.exe srv [?]

S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [01/01/1980 1432836]

.

Contents of the 'Scheduled Tasks' folder

2009-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 13:46]

2010-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 13:46]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.virginmedia.com

uInternet Connection Wizard,ShellNext = hxxp://www.microsoft.com

uInternet Settings,ProxyOverride = <local>;*.local

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {{1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - c:\apps\IECustom\script.htm

DPF: Microsoft XML Parser for Java - http://file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Dzirifigoreye - c:\windows\umotuqoleziba.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2010-03-07 10:03

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4213343257-1473697035-1497813335-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@SACL=

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2540)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Virgin Broadband\PCguard\Fws.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Virtual CD v4 SDK\system\vcssecs.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-03-07 10:13:22 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-07 10:13

ComboFix2.txt 2010-01-01 13:52

Pre-Run: 16,883,298,304 bytes free

Post-Run: 16,930,287,616 bytes free

- - End Of File - - C929135BFCEEB6AADB2F16723CEF93D6

Thanks for your help! I really appreciate it.

Nuley

Starbuck · March 7, 2010

Hi nuley,

Step 1

Let's grab a couple of flies for analysis.

Close any open browsers.

Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.

Copy the text below in the code box by highlighting all the text and pressing Ctrl+C

http://extremetechsupport.com/forum/malware-infection-removal/9323-nasty-virus.html#post63781

Collect::
c:\windows\Bmimu.dat
c:\windows\Bxelanulamo.bin

File::
c:\windows\system32\mlfcache.dat

Go to the Notepad window and click Edit >> Paste

Then click File >> Save

Name the file "CFScript.txt" (including the quotes)

Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop

Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon

as below.

http://i275.photobucket.com/albums/jj285/Bleeping/Combofix/cf.gif

Now please wait for ComboFix to finish running.

When Combofix has completed, a box will appear asking you to submit files for further analysis.

Please ensure you are connected to the internet and click OK.

http://img.photobucket.com/albums/v708/starbuck50/new/cfsub.png

In the event that the upload site may be offline, you will see the following message ...

http://img.photobucket.com/albums/v708/starbuck50/new/cfsub2.png

You can manually submit the files by navigating to:

C:\CF-Submit.htm

and double clicking to submit the files.

Note: ComboFix's log shall pop up only after the upload routine has finished running.

Step 2

I'd still recommend running 'exeHelper', it'll help to correct a few things on your system:

Please download exeHelper to your desktop.

If your AV program throws up a warning about the program, ignore the warning. Some AV's flag this program because of how it works... that's all.

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt ( Will be created in the directory where you ran exeHelper.com and should open at the end of the scan)

Note : If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together ( they will both be in the one file ).

Step 3

Download OTL to your desktop.
if you have problems, try this download link:
OTL
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check

.

http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png

netsvcs
msconfig
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.

http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png
.
Click the Run Scan button.

http://img.photobucket.com/albums/v708/starbuck50/runscan.png
Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.

In your next reply, please submit:

New combofix.txt

exehelperlog.txt

Both reports from OTL. (if they are too big to post, feel free to add them as attachments.)

Thanks.

nuley · March 9, 2010

Dear Starbuck

Thanks very much for this - it wasn't nearly as difficult as I'd feared!

The logs are below: