Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus is extremely well-hidden. Please Help!


  • Please log in to reply
9 replies to this topic

#1 superhighgain

superhighgain

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 26 March 2009 - 06:01 PM

I am an IT professional and usually can clean these up pretty well, but I am having loads of problems with this one and have work piling up that needs to be done on the infected PC. (Windows XP Pro, SP 3)

Symptoms:
  • Random shut-downs and redirects in IE. Automatic shutdown if I try to go to nearly any anti-virus site (including bleepingcomputer.com). Sometimes redirects to strange sites such as womansway.com, onlinebankingmyway.com, freestuff.com, etc. This is the one symptom that confirms to me that it is a virus of some sort and not another type of issue.
  • Impossible to update AVG. Won't let me run DDS.scr, even if I change the name.
  • Trying to run cmd.exe results in a restart of explorer.exe (at least that's what it looks like).
  • Latest version of Spybot S&D, MalwareBytes, and the quick scan of drweb-cureit detect NOTHING.
  • HJT shows nothing unusual - I would notice something different because I run a very streamlined system. If someone wants me to post a list of all the loaded .dll's, I'd be more than willing - as I would not notice if strange .dll's were loaded.
  • "Sysfader" and "Drop-down" errors on shutdown - I've done some research and this seems to be indicative of a virus changing IE's codebase
I will follow all instructions quickly and accurately, since my work is falling behind. I believe I got this from doing a search on a telephone number and clicking on one of the google entries that popped up. All symptoms showed up at once after this event. I use this computer for business only and am very perplexed how this could've happened, as I didn't think you could get a virus this bad simply from visiting a website. (I have strict ActiveX and Java security settings)

Any help much appreciated,
Superhighgain

BC AdBot (Login to Remove)

 


#2 superhighgain

superhighgain
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 27 March 2009 - 12:08 PM

Does anyone want to pick this one up? I'm nearly begging at this point. I figure this is a rootkit, and probably a new one. I'm almost ready to try ComboFix myself on this one.

Thanks,
Superhighgain

#3 mrguyface

mrguyface

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 27 March 2009 - 12:10 PM

dude i feel ya. this is the same problem i am having.a real pain in the arse...nobody is picking mine up either. this new virus or whatever it is, is very frustrating...

#4 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 27 March 2009 - 01:12 PM

Does anyone want to pick this one up? I'm nearly begging at this point. I figure this is a rootkit, and probably a new one. I'm almost ready to try ComboFix myself on this one.

Thanks,
Superhighgain

ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.


If you do a Google search FOR ComboFix as I did you will discover that the tool searches for specific infections and ,if run on a computer without those specific infections the tool also can render your computer forever unbootable ;hense one reason for the ComboFix Disclaimer

May one suggest you fully update the Malwarebyes program and post the reports you have run for a Staff member to check out for you and go from there?

#5 superhighgain

superhighgain
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 29 March 2009 - 05:49 PM

I'm going off the advice of another board member and posting a log in hopes that this one gets picked up by a pro. I couldn't update MBAM from the infected computer, but I did copy a completely up-to-date rules.ref file over from a clean computer and then ran a quick scan. Here is what I got:

Malwarebytes' Anti-Malware 1.34
Database version: 1916
Windows 5.1.2600 Service Pack 3

3/29/2009 5:14:51 PM
mbam-log-2009-03-29 (17-14-51).txt

Scan type: Quick Scan
Objects scanned: 65614
Time elapsed: 3 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

What's next? Another symptom that I've recently noticed is that the infected computer, a laptop, no longer displays the battery indicator when unplugged from AC.

Any help appreciated,
Superhighgain

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:09 AM

Posted 30 March 2009 - 03:06 PM

Hi,sorry but we are swamped here lately. That version of MBAm is old and needs to be updated.

Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 superhighgain

superhighgain
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 30 March 2009 - 05:06 PM

Okay, here is the MBAM log:

Malwarebytes' Anti-Malware 1.35
Database version: 1921
Windows 5.1.2600 Service Pack 3

3/30/2009 5:02:20 PM
mbam-log-2009-03-30 (17-02-20).txt

Scan type: Quick Scan
Objects scanned: 66049
Time elapsed: 3 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And here is an export of the area of the registry suggested by the above poster:

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Class Name: <NO CLASS>
Last Write Time: 3/24/2009 - 2:38 PM
Value 0
Name: midimapper
Type: REG_SZ
Data: midimap.dll

Value 1
Name: msacm.imaadpcm
Type: REG_SZ
Data: imaadp32.acm

Value 2
Name: msacm.msadpcm
Type: REG_SZ
Data: msadp32.acm

Value 3
Name: msacm.msg711
Type: REG_SZ
Data: msg711.acm

Value 4
Name: msacm.msgsm610
Type: REG_SZ
Data: msgsm32.acm

Value 5
Name: msacm.trspch
Type: REG_SZ
Data: tssoft32.acm

Value 6
Name: vidc.cvid
Type: REG_SZ
Data: iccvid.dll

Value 7
Name: VIDC.I420
Type: REG_SZ
Data: msh263.drv

Value 8
Name: vidc.iv31
Type: REG_SZ
Data: ir32_32.dll

Value 9
Name: vidc.iv32
Type: REG_SZ
Data: ir32_32.dll

Value 10
Name: vidc.iv41
Type: REG_SZ
Data: ir41_32.ax

Value 11
Name: VIDC.IYUV
Type: REG_SZ
Data: iyuv_32.dll

Value 12
Name: vidc.mrle
Type: REG_SZ
Data: msrle32.dll

Value 13
Name: vidc.msvc
Type: REG_SZ
Data: msvidc32.dll

Value 14
Name: VIDC.UYVY
Type: REG_SZ
Data: msyuv.dll

Value 15
Name: VIDC.YUY2
Type: REG_SZ
Data: msyuv.dll

Value 16
Name: VIDC.YVU9
Type: REG_SZ
Data: tsbyuv.dll

Value 17
Name: VIDC.YVYU
Type: REG_SZ
Data: msyuv.dll

Value 18
Name: wavemapper
Type: REG_SZ
Data: msacm32.drv

Value 19
Name: msacm.msg723
Type: REG_SZ
Data: msg723.acm

Value 20
Name: vidc.M263
Type: REG_SZ
Data: msh263.drv

Value 21
Name: vidc.M261
Type: REG_SZ
Data: msh261.drv

Value 22
Name: msacm.msaudio1
Type: REG_SZ
Data: msaud32.acm

Value 23
Name: msacm.sl_anet
Type: REG_SZ
Data: sl_anet.acm

Value 24
Name: msacm.iac2
Type: REG_SZ
Data: C:\WINDOWS\system32\iac25_32.ax

Value 25
Name: vidc.iv50
Type: REG_SZ
Data: ir50_32.dll

Value 26
Name: msacm.l3acm
Type: REG_SZ
Data: C:\WINDOWS\system32\l3codeca.acm

Value 27
Name: wave
Type: REG_SZ
Data: wdmaud.drv

Value 28
Name: midi
Type: REG_SZ
Data: wdmaud.drv

Value 29
Name: mixer
Type: REG_SZ
Data: wdmaud.drv

Value 30
Name: MSVideo8
Type: REG_SZ
Data: VfWWDM32.dll

Value 31
Name: aux
Type: REG_SZ
Data: C:\DOCUME~1\z\LOCALS~1\Temp\..\pjemwn.ajw


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server
Class Name: <NO CLASS>
Last Write Time: 12/15/2007 - 7:17 PM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP
Class Name: <NO CLASS>
Last Write Time: 12/15/2007 - 7:17 PM
Value 0
Name: wave
Type: REG_SZ
Data: rdpsnd.dll

Value 1
Name: mixer
Type: REG_SZ
Data: rdpsnd.dll

Value 2
Name: MaxBandwidth
Type: REG_DWORD
Data: 0x56b9

Value 3
Name: wavemapper
Type: REG_SZ
Data: msacm32.drv

Value 4
Name: EnableMP3Codec
Type: REG_DWORD
Data: 0x1

Value 5
Name: midimapper
Type: REG_SZ
Data: midimap.dll


Thanks for the help,
Superhighgain

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:09 AM

Posted 31 March 2009 - 10:59 AM

Let's see what running Part 1 of S!Ri's SmitfraudFix shows.
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy


Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


Now run SDFix:
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 superhighgain

superhighgain
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 31 March 2009 - 03:54 PM

As one of the above posters noted, this was the problem:

Value 31
Name: aux
Type: REG_SZ
Data: C:\DOCUME~1\z\LOCALS~1\Temp\..\pjemwn.ajw

I renamed this file, rebooted, and what do you know, no more redirects or explorer.exe restarts. Some of my networking is screwed up, though. The network items on the taskbar don't show up and I'm having all sorts of trouble connecting to wireless networks. It seems that the bugger left behind a bit of a mess.

MBAM, SmitFraudFix, and Spybot S&D detect nothing -- even with this file, inactive, sitting in a directory. It must be a new variant. I wish I knew how to clean up whatever mess it made.

I'm sure lots of other folks are suffering from this same virus, so I hope this variant gets incorporated into the anti-malware programs soon.

Thanks,
Superhighgain

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:09 AM

Posted 31 March 2009 - 09:10 PM

Ok glad it's fixed for you..
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users