Jump to content

Hidden Virus


Recommended Posts

So the other day I was infected by a virus but I believe I removed all of them.

Here's a log of it:

___________________________

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4006

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

5/22/2010 11:33:37 PM

mbam-log-2010-05-22 (23-33-37).txt

Scan type: Quick scan

Objects scanned: 145709

Time elapsed: 10 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vcxgqtjn (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vcxgqtjn (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Peter\Local Settings\Application Data\weilthtyc\bedxreutssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

______________________________________

But ever since that day my computer has been acting all weird. The windows and button style switches to classic everytime I restart/shutdown the computer. And the internet stops working when it works on my laptop/iphone. Only when I do a system restore that the internet works again. And I get random pop ups when I go on google. I've ran full scans a bunch of times but nothing ever comes up so the virus probably hiding somewhere.

Link to post
Share on other sites

Hi PeterLuu,

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4006

You need to remove MBAM 1.45 and install the latest version which is 1.46.

Update the definitions.The current definition database is 4154. Please verify You have that one or an even higher version before running your scan.

Then run a Quick Scan in Normal Mode not safe mode, and post back that log please!

Link to post
Share on other sites

Here ya go.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4155

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/29/2010 9:42:22 PM

mbam-log-2010-05-29 (21-42-22).txt

Scan type: Quick scan

Objects scanned: 173646

Time elapsed: 14 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Peter\Local Settings\Temp\79bc5164.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly named EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When this "quick" scan is finished (a few seconds), copy the Quick scan report to the windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARKQ.txt and post it in your next reply. If the log is very long attach it please.

Please read the Combofix Guide at Bleeping Computer aka A guide and tutorial on using ComboFix

http://www.bleepingcomputer.com/combofix/h...se-combofix#use

In the event you already have Combofix, please delete it as this is a new version.

Please download Combofix from one of these locations:

HERE or HERE

Using ComboFix ->

I want you to rename Combofix.exe as you download it to rayman.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

Running Combofix

1. Launch Combofix (rayman.exe) from the Run Line, as follows:

Navigate to Start --> Run, and copy/paste this command exactly as shown, then hit Enter:

"%userprofile%\desktop\rayman.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of C:\Combofix.txt in your next reply with rkill.txt and ARKQ.txt.

Note: Do NOT mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Link to post
Share on other sites

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit quick scan 2010-05-31 00:24:20

Windows 5.1.2600 Service Pack 3

Running: l1vm1brr.exe; Driver: C:\DOCUME~1\Peter\LOCALS~1\Temp\uwtoapow.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86DC7D01

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

I have to review your Combofix log. In the meantime, I need You to perform a more in depth ARK scan with the Anti-Rootkit Program (ARK) Program that you downloaded and ran previously as follows:

First, disable the active protection component of your antivirus/antimalware by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Please relaunch Anti-Rootkit Program (ARK):

  • Double-click the randomly name EXE located in the C:\ARK folder
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO
    Then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than System drive (typically C:\)
    • Show All (don't miss this one)
      GMER_thumb.jpg
      Click the image to enlarge it

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt"

    [*]Save the log where you can easily find it, such as your desktop.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report back into your Post.

Please let me know if there is any improvement in Your computer's symptoms!

Re-enable any active protection that you disabled before performing the scan.

Link to post
Share on other sites

Let's do this:

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

KillAll::

Driver::
erekndum
hiegf
cheetah1
DADriv1
diskchk
sejt1
vtany
xhunter1
xp1
zenx1
npggsvc
saruen
XDva007
XDva008
XDva037
XDva119
XDva121
XDva201
XDva202
XDva279

AWF::
c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
c:\program files\iTunes\bak\iTunesHelper.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"=""

Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdsk or any scanners. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix.

CFScriptB-4.gif

Referring to the picture above, drag CFScript.txt into renamed ComboFix.exe (rayman.exe)

This will cause ComboFix to run again.

Please post back the log that is opens when it finishes (C:\Combofix.txt), and also let me know how your PC is running now!

================================================================================

===============

Download RootRepeal:

http://rootrepeal.googlepages.com/RootRepeal.zip

  • Extract the Zip File (archive) to a folder you create such as C:\RootRepeal
  • Double-click RootRepeal.exe to launch the program
  • Click Settings -> Options, select the Driver Tab, and Check "Verify Digital Signatures (Experimental)"
  • Close the Settings Window
  • In Main Program screen, click the "Drivers" Tab (located at the bottom of the RootRepeal screen)
  • Click the "Scan" button
  • When the scan is done, Click the "Save Report" Button
  • Save the log file to your Documentsor the RootRepeal folder
  • Post the content of the RootRepeal file scan log in your next reply.

Link to post
Share on other sites

That's OK!

Your Rootkit Repeal Log looks Ok!

Can You check out this folder and see if it's empty or not?

c:\documents and settings\Peter\Local Settings\Application Data\weilthtyc

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

Save this to your desktop as AWF.bat by setting the "Save as Type" to "All files" in the pull down menu.

Double-click on AWF.bat to run this batch file

copy /y "c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe" "c:\program files\Common Files\InstallShield\UpdateService\issch.exe"
Copy /y "C:\program files\iTunes\bak\iTunesHelper.exe" "c:\program files\iTunes\iTunesHelper.exe"
dir /a "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" > output.txt
dir /a "c:\program files\iTunes\iTunesHelper.exe" >> output.txt
notepad output.txt

Copy/Paste the log file output.txt into your next reply

Let me know if You have any errors when running the batch (BAT)

Link to post
Share on other sites

That's good to hear hahah.

Yes, "c:\documents and settings\Peter\Local Settings\Application Data\weilthtyc" is empty.

&

This is the notepad text that popped up after running the batch. (Not sure if that's the log):

Volume in drive C has no label.

Volume Serial Number is 28A3-89EB

Directory of c:\program files\Common Files\InstallShield\UpdateService

07/27/2004 03:50 PM 81,920 issch.exe

1 File(s) 81,920 bytes

0 Dir(s) 99,779,457,024 bytes free

Volume in drive C has no label.

Volume Serial Number is 28A3-89EB

Directory of c:\program files\iTunes

04/28/2010 03:06 PM 142,120 iTunesHelper.exe

1 File(s) 142,120 bytes

0 Dir(s) 99,779,457,024 bytes free

Link to post
Share on other sites

Good job!!. We have a few steps to finish up now.

You should update your version of the Sun Java Platform (JRE) to the newest version which is Java Runtime Environment (JRE) 6 Update 20, if you have not done that already.

You can check your currently installed JRE version here.

If you find you need to update to the Java Runtime Environment (JRE) 6 Update 20, then follow these steps:

1. Download the latest JRE version at the http://java.sun.com/javase/downloads/index.jsp Sun Microsystem's website

2. Select the option that says: "Java Platform, Standard Edition JDK 6 Update 20 (JDK or JRE)" and click the "JRE Download" button.

3. Select your platform: Windows, in the pull down menu.

4. Check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement."

5. Click Continue.

6. Under the Windows Platform - Java SE Runtime Environment 6 Update 20section, click on the link to download the Windows Offline Installation and save the installer to your desktop.

7. Close any programs you may have running - especially your web browser.

8. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities).

9. Reboot your system

10. Then from your desktop double-click on jjre-6u20-windows-i586-p.exe to install the newest version of the Sun Java Platform

12. If the Yahoo Toolbar is prechecked for installation be sure to UNCHECK it, if you do not care to have it, or already have it installed - it is not part of the JRE install and totally unnecessary.

13. You may verify that the current version installed properly by clicking http://java.com/en/download/installed.jsp here.

Now clear the Java cache:

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*] Click OK to leave the Temporary Files Window

    [*]Click OK to leave the Java Control Panel.

-

If I asked you to download and run one or more ARKs (Antirootkit program, then please uninstall them by doing all that apply as follows:

  • Delete the contents of the folder C:\ARK
  • Delete the C:\ARK folder
  • Delete the contents of the folder C:\RootRepeal
  • Delete the C:\RootRepeal folder

Click Start -> Run, and copy/paste the following bolded text in the Open: box and select OK:

"%userprofile%\desktop\rayman.exe" /uninstall

This will do the following:

  • Uninstall Combofix and all its associated files and folders.
  • Flush your system restore points and create a new restore point.
  • Rehide your system files and folders
  • Reset your system clock

---

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI). This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, and many others are commonly targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

4. You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.

The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Updates.

However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis. It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Glad we could help. ;)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.