Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


A new virus?/ Moved

  • Please log in to reply
3 replies to this topic

#1 Nicolas Buduroi

Nicolas Buduroi

  • Members
  • 4 posts
  • Local time:08:07 PM

Posted 11 March 2009 - 09:46 AM

Hi, it's my first post here and just wanted to say that this forum has been invaluable in the past while fighting malwares. I've just finished removing a new one that is very strange and on which I cannot find any information. It look like I'm the only one ever infected by it!

I suspect the malware got through a Firefox 3.0.6 vulnerability, it happened one day before the release of version 3.0.7. I've noticed the symptoms quite fast: general slowdown, explorer context menu blocking IO and finally the obvious redirection of links from google, but only for a few ones. Also, trying to open cmd.exe or regedit.exe killed explorer, forcing it to restart, this was easily bypassed by renaming them.

This virus, among other things, took control of kernel32.dll threads and used some processes like: jusched, explorer, lsass, spoolsv, scvhost (the main one and another with DCOM and terminal service stuff) and winlogon. Every five seconds it was doing some weird file manipulation. First it created a file called ymihh.sca in current user "Local Settings" folder then closed it. Just after that, it was (re)creating the sqlsodbc.chm file of system32 folder, then read it and closed it. While waiting, the hijacked kernel32 threads were in DelayExecution state, while normal ones are usually waiting in WrLpcReceive state. When trying to delete manually ymihh.sca and killing the processes and/or threads creating it, sometimes it was recreated as ymihh.scax or even padded with more 'x' at the end, until it reached the file name size limit.

I've tried to run the latest versions of Spybot, Malwarebytes, BitDefender, Kaspersky, Trend Micro and even Norton. They all found nothing but for Spybot some tracking coockies from previous users and Kaspersky with false positives, namely Spicework and TightVNC installers. After that, I tried SmitFraudFix, ComboFix and VundoFix. Only VundoFix found something into a Visual Studio help dll (Microsoft.VisualStudio.OfficeTools.Designer.ni.dll). HijackThis looked normal as well as GMER output. I did try some other tools, but none revealed anything. The virus was still there with the same symptoms as before. I also looked at network traffic with Wireshark to see if it was trying to do something when replugging the network cable. Nothing unusual there too.

At that point I started to get creative and used Process Explorer to identify and suspend all rogue kernel32 threads. That stopped the file manipulation right away and after a couple of minutes cmd.exe and regedit.exe were accessible again. That seemed to have stopped it. Yet rebooting made it reappear, then I stopped it again and openned autoruns to disable all user startup processes. Upon rebooting this time there was no trace of this annoying malware. I've reenabled every startup process, hoping to find the culprit, but to my astonishment, there was no trace left of the virus.

This machine is running Windows XP SP3 and is quite loaded. It got all full MS dev environment since VS 6.0 until 2005, plus some Express Editions as well. Also, I was running with blackbox (bbLean) as a shell instead of explorer.

So, do someone recognize this malware or it's something new? Is there a way to ensure that my computer is really clean now? If someone need them, I have kept a copy of ymihh.sca, sqlsodbc.chm and Microsoft.VisualStudio.OfficeTools.Designer.ni.dll. My HijackThis log will follow.


BC AdBot (Login to Remove)


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,009 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:07 PM

Posted 11 March 2009 - 10:51 PM

Hello Nicolas Buduroi,

Given what you stated here: "Sorry! I though it was OK to post this log as a reply, just as a complement. I did not asked for analysis! Anyway, will I be ignored now? Do I need to repost my message somewhere else without the HJT log? I really just wanted a second opinion on my situation, nothing more. Thanks."

I've pruned off the HiJack This log and everything else, left that topic in the MisPlaced Log forum and closed it.

I am now moving this topic back to the Am I Infected forum.

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Running ComboFix by yourself is like performing open heart surgery on yourself--the scalpel and other surgical tools that is ComboFix is meant to be wielded by a highly trained surgeon only in emergencies or dire circumstances. When the surgeon is thru s/he leaves the room. So combofix should be removed from a system once it has accomplished its job, unlike an AV that is there to protect you from future infections.

. . . CF does make some alterations to your system if you run it. Even if you had no malware removed and run the uninstall command, some things may be different now on your system. I can tell you that one thing is that all your restore points will be flushed out and a new one created. There is a good reason to do that when you have a severe infection--but if you aren't infected you might need those restore points.

Read and abide by the disclaimer people. It's there for a reason. Stick to running and protecting yourself with a good AV and firewall and an anti-malware scanner or two. If you feel you need a second opinion, try running online scans. If you feel you might need surgery, come here to BC and ask for help--that is what we're here for.

From: http://www.bleepingcomputer.com/forums/ind...t&p=1159014

That said, we need a bit more information:

What is your operating system: Windows XP, Vista, etc.?

Please identify some of the sites you were redirected to but do not post live links.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Nicolas Buduroi

Nicolas Buduroi
  • Topic Starter

  • Members
  • 4 posts
  • Local time:08:07 PM

Posted 12 March 2009 - 07:26 AM

I'm running Windows XP. D'oh, I forgot to note the websites addresses, but browsing my history I'm only seeing these ones that look suspicious:, Thanks

#4 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,490 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:08:07 PM

Posted 19 March 2009 - 08:26 PM

Hello please run these next.
From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users