Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lots of viruses starting along with spy-agent.bw mem [Moved]


  • Please log in to reply
1 reply to this topic

#1 Annu

Annu

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 20 June 2009 - 10:12 PM

Hi All,

First of all please excuse me for not posting the DDS/HJT logs here. I'm not able to download/run anything on my computer. I've detailed the problem below. If anyone can help me with this please let me know.

Strange IE windows started popping up warning about security etc. etc. I use firefox and not IE so I was surprised how the infection came through IE. I ran McAfee and it found spy-agent.bw and several other viruses (generic, online games etc.) in different files and it said it cleaned all of them, however, it wasn't able to clean the winlogon.exe process that was in memory. When I rebooted again, CPU usage was very high and McAfee on access scan had been disabled. There were a lot of weird executables in the task manager. dncyool.sys liser.exe b.exe whsjlhyw.exe jqs.exe, liser.exe etc. I terminated some of them, but they kept coming back, QTTask.exe had a very large memory usage whsjlhyw.exe would replicate and create 4 to 5 instances when I tried to terminate it. I found the dncyool.sys file on the HD but couldn't delete it cause it said it was locked. I ran Mcafee again and it cleaned a whole bunch of files again.

I figured McAfee was not able to clean it so I downloaded exterminate it but the setup program wouldn't run. I already had malware bytes anti-malware installed but it also would not run. When I used to firefox to access any websites such as Mcafee or symantec or bleepingcomputer firefox would just close. I was unable to run regedit because it said administrator had disabled registry editing. I downloaded vbscript I found online to which said it fixed the issue and told me to restart.

I restarted the machine again but this time it would just show me the desktop background and stop nothing would come up. And it had some of those weird executables again in the task manager. I was able to run regedit using the new task option in the task manager. And I used it to remove some items under hkey_local_machine\software\microsoft\network\windows nt\currentversion\UID with had my host name and some number. I also set HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe. I found these things on some website. I also found some of the executables like whsjlwyw.exe, b.exe some registry items like blud, kell etc.

I removed all of these and then restarted my computer. Now it still stays with just the desktop background but I can't even run anything using the new task option in task manager. Every time I try to run something a choose application window show up that asks me to select the application with which I want to open it. I just selected firefox, it did bring up firefox which tries to save the executable that I wanted to run. It now has jqs.exe, b.exe and liser.exe. I can terminate these tasks. However, even when they are not running I can't use firefox to access this bleeping computer website, firefox exits the moment I do.

I guess my computer is toast I just have to copy my data and reformat the drive and reinstall windows. But I just wanted to see if anyone can help me with this. May be some newer virus/variant.

Thanks
Annu

Edited by The weatherman, 21 June 2009 - 04:53 AM.
Moved from hjt to a more appropriate forum. TW


BC AdBot (Login to Remove)

 


#2 Zllio

Zllio

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Local time:12:03 AM

Posted 24 June 2009 - 06:50 AM

Hi Annu,

Sorry for the wait and the shuffling around. Do you still need help? Where your computer has been so compromised, I would first caution you to disconnect it from the internet physically. You mentioned you're not able to download and run anything. Is it possible for you to download a program to an external medium like a flash drive or even better, a read-only cd and then run the program from there? Can you get into Safe Mode? If so, let's start with the following:


Step 1: AFT Cleaner



If you're running XP, please run ATF cleaner according to the following instructions. If you're using Vista, please skip this step and continue with step 2.


Please download ATF Cleaner by Atribune & save it to your desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".



Step 2: MalwareBytes


Please download Malwarebytes Anti-Malware and save it to your desktop.
MalwareBytes

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable security programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Step 3: If you can get to add/remove programs, look for anything that you don't recognize make a note of it and tell me. There may be some programs that need un-installing.

I'll wait to hear back from you.
Zllio





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users