BleepingComputer.com: Help with a virus/maulwre

I know this is most likely posted here... but there are some difances....

I need some help fixing the damage from a virus. I think it was the winav 2009. I caught it before it completely took hold but it did hit some things.

Symptoms...
I can't run in full xp mode for long before it lock up and when you restart windows hangs.
I can run in safe mode for the most part. I'm in the directory fix one now.
I can't run system restore. I have even tried renaming the folder but it says its denied... can even open it. (neither in safe or full mode)
I have 6 svchost.exe running in safe mode, I know its needed but after doing research I found that that software uses that .exe.
I also get an audio ad for XM satellite radio in all modes at random intervals. I can see were it's coming from.


I have runs AVG 8.5 free though safe mode and found nothing but I can stay in full mode long enough to complete a scan.

I'm stumped I tried reinstalling SP3 and IE 8 with no help. As I stated before system restore wont work (even in safe) I even cleaned the heat sink and power supply fan ( not that they needed it) to rule out a heat issue. In short I need help.

If you need more info I can get it just ask and tell me where to get it

also...

I was running avg 8.5 free and through 2 firewalls (windows and through the router) I have no idea how this got through or how that add gets out. Well I kind of know. I've been running the task manager while the computer is running. It is using Internet explore without it opening up. On a side note I can't run spybot s&d (scan) at all and that also runs in the background all the time. If you have ever ran that you will notice the pop ups asking permission all the time... well not all the time

Hi Mystic Knight,

Let's see if we can ID the problem.

Do this in safe mode with an internet connection.

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Make sure you are connected to the Internet.
  
• Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.
  
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  
• On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
    
  • Then click on the Scan button.
  
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.
  
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

See if that works.

I will give it a try. It hasn't been allowing me to run any setups saying that the admin has not allowed me to do that function (or something to that effect) that could also explain why I can't system restore or change the name of or open that folder. When I go into control panel and go to users it says that I am an admin, but there is also a separate admin user. I thought about trying to kill it but I don't know what if anything that would do.

DBL post

It is as I feared. I even made another admin account with another name to try.... It wont install. Is there a way I can pick them off manually?

Mystic Knight, on Jun 7 2009, 10:30 PM, said:

Not unless we know what we're picking off.

Manually is our last resort. If we are really stuck then I will take you over to the HijackThis area.

What messages are you getting when you try to run MBAM? It may be that the malware is recognising these programs.

Can you try to download MBAM but renaming it Knight.exe, for example.

If that doesn't work then we'll try another angle.

Its a no go for that to. It stops dead when it hits extracting files. I wishing I had a XP dick to try and reinstall over top like I used to do with 98SE

Let's try an online scan.

Please run a BitDefender Online Scan

• Click I Agree to agree to the EULA.
  
• Allow the ActiveX control to install when prompted.
  
• Click Click here to scan to begin the scan.
  
• Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  
• When the scan is finished, click on Click here to export the scan results.
  
• Save the report to your desktop so you can post it in your next reply.

I tried three time to complete the scan. It stalled about half done or IE shut down I think the first time was because AVG was doing a scan as well. It didn't do a list but I fond a few trojans attached to short cuts and some tracking cookies. I'm testing now to see if XP locks up. I just tried doing a system restore for bleeps and giggles and that is still a no go. and there is still 6 svchost.exe running. SO I'm either still sick our there is damage to be repaired. What I don't get is why AVG didn't catch them running. The resident shield is always on, it deep scans every night and it is always updated.

Okay, Mystic Knight,

Let's try a few more things.

Can you disable AVG and then try running BitDefender again.

If that doesn't work then please post back with any malware that it identifies before it stalls.

After that please boot into safe mode and attempt to run MBAM.

Thanks

This post has been edited by m0le: 09 June 2009 - 03:53 AM

sorry about the late reply...work has been nuts

Scan : completed
----------------
Scanned: 1374279
Detected: 29
Untreated: 0
Start time: 7/15/2008 10:14:54 AM
Duration: 1 00:12:01
Finish time: 7/16/2008 10:26:55 AM


Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan-Downloader.Win32.IstBar.lu File: D:\downloads\sim golf key gen .zip/setup.exe//data0001
deleted: Trojan program Trojan-Downloader.Win32.IstBar.nn File: D:\downloads\sim golf key gen .zip/setup.exe//data0003
disinfected: Trojan program Trojan-Downloader.Win32.IstBar.nn File: D:\downloads\_playstaion 2 emulator_.zip
deleted: Trojan program Trojan-Downloader.Win32.IstBar.lu File: D:\downloads\sim golf key gen\setup.exe//data0001
deleted: Trojan program Trojan-Downloader.Win32.IstBar.nn File: D:\downloads\sim golf key gen\setup.exe//data0003
deleted: Trojan program Trojan-Downloader.Win32.IstBar.lu File: D:\downloads\wc3\setup.exe//data0001
deleted: Trojan program Trojan-Downloader.Win32.IstBar.nn File: D:\downloads\wc3\setup.exe//data0003
deleted: riskware not-a-virus:FraudTool.Win32.SpyNoMore.g File: D:\Program Files\flv2video_converter-trial.exe
deleted: riskware not-a-virus:FraudTool.Win32.Antivirus2008pro.ak File: E:\Documents and Settings\Sharlene Bender\Local Settings\Temp\dssc32.exe
deleted: Trojan program Trojan-Downloader.Win32.IstBar.lu File: E:\Documents and Settings\Sharlene Bender\Local Settings\Temp\install\setup.exe//data0001
deleted: Trojan program Trojan-Downloader.Win32.IstBar.nn File: E:\Documents and Settings\Sharlene Bender\Local Settings\Temp\install\setup.exe//data0003
deleted: Trojan program Trojan.Win32.Monderb.gen File: E:\Documents and Settings\Sharlene Bender\Local Settings\Temporary Internet Files\Content.IE5\PAX8I7HZ\kb767887[1]
deleted: Trojan program Trojan.Win32.Monderb.gen File: E:\Documents and Settings\Sharlene Bender\Local Settings\Temporary Internet Files\Content.IE5\PE59A8BM\kb767887[1]
deleted: Trojan program Trojan.Win32.Monderb.gen File: E:\Documents and Settings\Sharlene Bender\Local Settings\Temporary Internet Files\Content.IE5\VWY4TYJB\css4[1]
deleted: Trojan program Trojan-Downloader.Win32.IstBar.lu File: E:\Documents and Settings\Sharlene Bender\My Documents\shqreza stuf\sim golf key gen\setup.exe//data0001
deleted: Trojan program Trojan-Downloader.Win32.IstBar.nn File: E:\Documents and Settings\Sharlene Bender\My Documents\shqreza stuf\sim golf key gen\setup.exe//data0003
deleted: riskware not-a-virus:Client-IRC.Win32.mIRC.616 File: E:\Mythbusters_script\mirc.exe
deleted: riskware not-a-virus:RiskTool.Win32.Deleter.e File: E:\Program Files\MP3 Player Utilities 4.00\DelDrv.exe
deleted: riskware not-a-virus:FraudTool.Win32.Antivirus2008pro.ak File: E:\RECYCLER\S-1-5-21-3366713733-1142844746-568218497-500\Dc1.exe
deleted: Trojan program Trojan.Win32.Vapsup.igv File: E:\WINDOWS\gpefaowr.exe
deleted: Trojan program Trojan.Win32.Monderb.gen File: E:\WINDOWS\system32\ddcYpmLF.dll
deleted: Trojan program Trojan.Win32.Monderb.gen File: E:\WINDOWS\system32\enwdmdvb.dll
deleted: Trojan program Trojan.Win32.Monderb.gen File: E:\WINDOWS\system32\geBuTJyx.dll
deleted: Trojan program Trojan.Win32.Monderb.gen File: E:\WINDOWS\system32\jocloi.dll
deleted: Trojan program Trojan.Win32.Monderb.gen File: E:\WINDOWS\system32\rqRIcbcc.dll
deleted: Trojan program Trojan-Downloader.Win32.IstBar.nn File: D:\downloads\sim golf key gen\setup.exe
deleted: Trojan program Trojan-Downloader.Win32.IstBar.nn File: D:\downloads\wc3\setup.exe
deleted: Trojan program Trojan-Downloader.Win32.IstBar.nn File: E:\Documents and Settings\Sharlene Bender\Local Settings\Temp\install\setup.exe
deleted: Trojan program Trojan-Downloader.Win32.IstBar.nn File: E:\Documents and Settings\Sharlene Bender\My Documents\shqreza stuf\sim golf key gen\setup.exe


Events
------
Time Name Status Reason
---- ---- ------ ------
7/15/2008 10:14:54 AM Logical disk sector: D ok scanned
7/15/2008 10:14:54 AM Logical disk sector: E ok scanned
7/15/2008 10:14:55 AM Physical disk sector: \Device\HarddiskVolume5 ok scanned
7/15/2008 10:14:55 AM Physical disk sector: \Device\HarddiskVolume3 ok scanned
7/15/2008 10:14:55 AM Physical disk sector: \Device\Harddisk1\DR8 ok scanned
7/15/2008 10:14:55 AM Physical disk sector: \Device\Harddisk2\DR2 ok scanned
7/15/2008 10:14:55 AM Physical disk sector: \Device\Harddisk0\DR0 ok scanned
7/15/2008 10:14:56 AM File: D:\!aso.txt ok scanned


Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------


Settings
--------
Parameter Value
--------- -----
Security Level Custom
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives all
Scan embedded OLE objects all
Do not scan archives larger than No
Skip if scan takes longer than No
Parse email formats Yes
Scan password-protected archives Yes
Use iChecker technology Yes
Use iSwift technology Yes
Show detected threats on "Detected" tab Yes
Rootkit scan Yes
Extended rootkit scan No
Use heuristic analyser No

Hi Mystic Knight,

See if you can get MalwareBytes to install now. As mole said, be sure to rename it. If you are able to install it, then rename the executable from mbam.exe to something like MK.cmd or MK.scr

MalwareBytes will run under several different endings.

Before you run it, please run ATF Cleaner:

If you're running XP, please run ATF cleaner according to the following instructions. If you're using Vista, right-click on the icon and select "run as Administrator".

Please download ATF Cleaner by Atribune & save it to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
  
• Under Main "Select Files to Delete" choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
  
• Click Exit on the Main menu to close the program.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".[/indent]


If you are able to run ATF and MalwareBytes, please post the results for MalwareBytes. The log is under the logs and reports tab.


If you are unable to do any of this, please continue with the Preparation Guide. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal and start a new topic. If you request help from the HijackThis forum, do not make any further changes like adding and removing programs until someone can help you. Also, give a link to this thread, so they have this information of what you've tried so far and what has worked.


Zllio