Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Medichi Virus Here Too...


  • Please log in to reply
1 reply to this topic

#1 Coolham23

Coolham23

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 24 December 2007 - 02:26 AM

Hello, I am new here and seem to be infected with this unknown Medichi virus.
I can aid in any way possible and can access my control panel via other users. I use another version of Task Manger and I still have ESET NOD32 Antivirus running perfectly.
This virus seems to use 3 files of my knowledge:
*/WINDOWS/Medichi.exe
*/WINDOWS/Medichi2.exe
*/WINDOWS/Murka.dat
--------------It also seems to do the following.
- Randomly try to copy files to other folders, both of which are not mentioned in the "Windows copying" box.
- Bring Spyware popups.
- Mute the system at random times.
- At each startup you get a windows notification box labeled "Medichi2.exe - Unable to Locate Component" that states "This application has failed to start because MSVCR80.dll was not found. Re-installing the application may fix the problem.
- Destroy any Admin rights, it won't disable them on users that have only been run in safemode.
- It regenerates even when disconnected from the internet, and only Medichi.exe seems to be detected as a threat. When all the files are deleted manually, symptoms continue to occur.
- As rare as it may be, you get a random popup trying to connect to "http://81.13.38.39/alert.htm". The page always comes up as the "The server was reset, please contact the administrator" or at least something similar to that.
----------------------------------------------------------------
Heres the ComboFix log seeing as I cannot get HijackThis to work. If anything other than the logs are needed, tell me.
--------------------------------------------
Start Time= 12/23/2007 Sun 16:45:31.20

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-12-24 07:45:44 ( .D... ) "C:\Program Files\Trend Micro"
2007-12-23 16:28:28 9216 ( A.... ) "C:\WINDOWS\medichi2.exe"
2007-12-23 16:28:28 5632 ( A.... ) "C:\WINDOWS\medichi.exe"
2007-12-23 14:17:24 724 ( A.... ) "C:\WINDOWS\system32\qmopt.dll"
2007-12-23 14:17:22 5632 ( A.... ) "C:\WINDOWS\system32\lanmandrv.sys"
2007-12-23 14:17:22 5632 ( A.... ) "C:\WINDOWS\system32\lanmandrv.sys"
2007-12-23 14:17:00 36352 ( A.... ) "C:\WINDOWS\system32\install.exe"
2007-12-22 23:47:54 ( .D... ) "C:\Program Files\Security Task Manager"
2007-12-20 22:54:22 ( .D... ) "C:\Program Files\%ramdrv%"
2007-12-20 19:31:12 2955 ( A.... ) "C:\WINDOWS\system32\CHOICE.COM"
2007-12-18 22:30:18 ( .D... ) "C:\Program Files\Dell"
2007-12-18 13:28:42 ( .D... ) "C:\Program Files\K-Lite Codec Pack"
2007-12-17 22:54:02 ( .D... ) "C:\Program Files\MP3 Player Utilities 4.00"
2007-12-17 22:48:36 ( .D... ) "C:\Program Files\MP3 Player Utilities 4.15"
2007-12-17 22:38:12 ( .D... ) "C:\Program Files\ACE Mega CoDecS Pack"
2007-12-17 19:07:04 ( .D... ) "C:\Program Files\s1res"
2007-12-16 21:11:00 ( .D... ) "C:\Program Files\EcoleSoftware"
2007-12-09 09:42:14 ( .D... ) "C:\Program Files\Registry Medic 5"
2007-12-09 02:05:46 ( .D... ) "C:\Program Files\AusLogics Disk Defrag"
2007-11-28 00:11:44 98304 ( A.... ) "C:\WINDOWS\system32\CmdLineExt.dll"
2007-11-25 00:00:18 ( .D... ) "C:\Program Files\Skype"
2007-11-25 00:00:14 ( .D... ) "C:\Program Files\Common Files\Skype"
2007-11-21 03:00:00 278528 ( A.... ) "C:\WINDOWS\system32\pncrt.dll"
2007-11-21 03:00:00 185688 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
2007-11-21 03:00:00 6656 ( A.... ) "C:\WINDOWS\system32\pndx5016.dll"
2007-11-21 03:00:00 5632 ( A.... ) "C:\WINDOWS\system32\pndx5032.dll"
2007-11-19 18:36:54 ( .D... ) "C:\Program Files\RivaTuner v2.06"
2007-11-19 16:48:26 13824 ( A.... ) "C:\WINDOWS\system32\10761.exe"
2007-11-10 14:11:14 ( .D... ) "C:\Program Files\Fate"
2007-09-28 17:07:52 3596288 ( A.... ) "C:\WINDOWS\system32\qt-dx331.dll"
2007-09-28 17:05:50 81920 ( A.... ) "C:\WINDOWS\system32\dpl100.dll"
2007-09-28 17:05:40 739840 ( A.... ) "C:\WINDOWS\system32\divx.dll"
2007-09-24 23:31:42 139264 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2007-09-24 22:30:30 135168 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2007-09-24 22:30:28 135168 ( A.... ) "C:\WINDOWS\system32\java.exe"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"_Double Password"="C:\\Program Files\\Double Password\\svchost .exe /tray"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"egui"="\"C:\\Program Files\\ESET\\ESET NOD32 Antivirus\\egui.exe\" /hide /waitservice"
"Medichi"="medichi.exe"
"Medichi2"="medichi2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
@=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LaunchPd"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\ATI Multimedia\\main\\LaunchPd.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WinVNC"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\TightVNC\\WinVNC.exe\" -servicehelper"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"winvnc"=dword:00000002


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Registry Medic Schedule.job

Completion time: 12/23/2007 Sun 16:45:53.71
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt
------------------------------------
Why does CHOICE.COM seem suspicious?
- Coolham23 -

Edited by Coolham23, 24 December 2007 - 03:27 AM.


BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:54 PM

Posted 09 January 2008 - 02:33 PM

Want you to redownload Combofix:
  • Download Combofix to your desktop.

  • Doubleclick combofix.exe

  • Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, and after reboot if it asks for one, combofix will open again to gather the necessary information for the log. This may take a while so please be patient. When done, Combofix will close and a log should open called combofix.txt.

Post the contents of this log in your next reply along with a new hijackthislog.

Please do not post the ComboFix-quarantined-files.txt unless I ask you to.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users