Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


A Stubborn Malware

  • Please log in to reply
3 replies to this topic

#1 TheVictim


  • Members
  • 3 posts
  • Local time:01:59 PM

Posted 04 August 2009 - 03:02 AM

First things first, I have read the preparation guide and tried to do everything it said. However when I downloaded Cobian Backup, its setup file on my desktop does not open. It shows the Windows security warning and when I click run the computer tries to open it but is stopped, probably by the stubborn malware, I'm talking about. The same thing happens for the DDS tool and anything new that entered the computer after the infection. When I enter my control panel and try to enable the firewall, it doesn't allow me to enter the firewall settings and other settings in the control panel. Now that my malware has disabled the preparations listed, I'm beginning to suspect that it has a mastermind or a hacker behind it who uses my computer like a puppet.
Now I'm going to explain how I got this malware and the problems it caused/causing sequentially. I had just installed Dev-C++ and decided to upgrade it from devpaks.org. When I confirmed the updating, I noticed that one of the devpaks' name was "SECURITY WARNING!!!". It was too late to stop it as it was already installed and the computer screen became white and returned normal in a split second. Then Symantec Endpoint Protection gave a warning saying a PDF file was trying to tamper with it. Then I tried to open Symantec and other programs including Mozilla Firefox (which I was going to use to download other antivirus software), but they didn't open after the computer tried to open it, hinted by a blinking small hourglass beside my mouse pointer. I had also downloaded and ran UniBlue Security booster and it found lots of registry issues saying it would fix only 15. I thought it would be better than nothing so I allowed it to fix 15 registry issues. So, I decided to restart my computer. When it was opening, the screen that showed the loading screen with the Windows logo stood still and then followed by a black screen continued to load. Then, a log-in screen showed which never actually happened before with my user name written and a blank password entry. I am the only one using this computer so I was shocked at why it would require a log-in screen, which previously was a bluelayout screen with my name written as the user and my picture which I used to click on and my computer would open. I hadn't put up any passwords so I just clicked OK and I could only see my desktop background and the icons did not load followed by a Data Execution Prevention message saying Userinit Logon Application has been closed for the computers safety. After closing the message, I could then access the Task manager which I used to run explorer.exe and got my Desktop back. I then open the Internet and download some anti-malware software including malwarebytes and cyberdefender none of them found anything in my computer said it wasn't infected. The only program giving warnings was symantec showing logs of 26 tamper situations, throughout the stay of this malware symantec is giving logs with 46 tamper situations. I ran a full scan using Symantec and it had problems scanning 3 files saying a problem extracting the Decomposer Engines.
Also I noticed that another user has been created in the log-in place called "Administrator" which when I try to log-in to opens up a windows 98 desktop background and gets stuck there till I log-in again as myself. Every time I restart my system I have or not some limitations. For example, I can only access the task manager when I have a lucky restart cause most of the time it doesn't allow me to open the task manager. When I download new things, I first need to restart so that I can execute them, cause otherwise the computer just tries to open them but gives up quickly. Symantec says its Proactive Threat Protection was disabled and it has to be updated with new definitions I update it but it still says its disabled.
All of my files are intact at the moment and I haven't lost them, I have downloaded Cobian but in order for it to load the setup I need to restart the computer, but I'm afraid that next time I won't be so lucky. I tried using Stinger but when I try to run it it says "Stinger has been infected and needs to close."
I have never ever had a malware infect my computer before I always were overcautious and kept my antivirus software up-to-date. From the symptoms its showing I think my computer has a major infection. If it helps the names of one of the files Symantec can't scan is: (I can't access to Symantec right now the virus just stops it, but fortunately I had copied one of the file destinations) c:\System Volume Information\_restore{75388371-87EC-46D0-A708-24394431BADC}\RP165\A0025162.exe
Thank you for your help in advance, I really need an answer immediately.

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,567 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:01:59 PM

Posted 04 August 2009 - 11:17 AM

Hello can you run MBAM...
Some types of malware will disable MBAM (MalwareBytes) and other security tools. If MBAM will not install, try renaming it.

Before saving any of your security programs, rename them first. For example, before you save Malwarebytes', rename it to something like MBblah.exe and then click on Save and save it to your desktop. Same thing after you install it. Before running it, rename the main executable file first
Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run..

Another work around is by not using the mouse to install it, Just use the arrow keys, tab, and enter keys.
Open up command prompt, type in following commands:
XP >> click the Start menu at the lower-left of your computer's desktop and select "Run". Type cmd into the Run box and click "OK".
Vista >> click the Start menu at the lower-left of your computer's desktop and Type cmd in the search box.

regsvr32 mbamext.dll
regsvr32 ssubtmr6.dll
regsvr32 vbalsgrid6.ocx
regsvr32 zlib.dll

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 TheVictim

  • Topic Starter

  • Members
  • 3 posts
  • Local time:01:59 PM

Posted 06 August 2009 - 02:25 AM

Thank you for your immediate reply boopme. I had ran Malwarebytes before but now I tried it with System Restore turned off and it found 12 infections, I removed them of course, but the problem persists. Here is the log:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3 (Safe Mode)

8/6/2009 9:59:31 AM
mbam-log-2009-08-06 (09-59-31).txt

Scan type: Quick Scan
Objects scanned: 98344
Time elapsed: 3 minute(s), 10 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\7.tmp (Spyware.Festeal) -> Quarantined and deleted successfully.
C:\Documents and Settings\kerim\Local Settings\Temporary Internet Files\Content.IE5\8C69YT7S\mal[1].htm (Spyware.Festeal) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reader_s.exe (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\kerim\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\kerim\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.

#4 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,082 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:59 PM

Posted 06 August 2009 - 07:24 AM

Your log shows evidence that your system is infected with a nasty variant of the virut virus which creates copies of itself in various locations to include %System%, %Temp% and/or %UserProfile% folders. Please see ThreatExpert's awareness of the file "reader_s.exe".

Virut is a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). Virux is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml ). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is often contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

However, the CA Security Advisor Research Blog have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

Edited by quietman7, 06 August 2009 - 07:26 AM.

Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users