Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pretty sure it's virut, but can't really confirm.


  • Please log in to reply
4 replies to this topic

#1 VirutPwned me

VirutPwned me

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 07 October 2009 - 10:17 PM

Howdy,

First a quick background so you know how much i know and don't. I'm basically a total noob who gets rid of those really easy virus removal for friends and family. Through own work/finding info on forums. It's been a while but there is a computer which is totally owning my small knowledge base.

Ok so the virus I'm pretty sure is Virut. However, I have no idea how to check. I have Hijackthis but i can't get it onto the required PC it's so bonkers.

This is what I have so far he came to me saying man the computer was messed up the internet kept disappearing for no reason and recently I just can't do anything.

So i grabbed it and basics Ctrl+alt+dlt is your friend and found out his quicktime was pumped up to take the whole processor., I tried stopping it by just hitting enter but it didn't work.

Then I came up with the idea of lowering the process priority to low and then trying and i killed it. Right after killing it i could now use the pc.

So i opened up msconfig and made sure that qttask.exe wouldn't be starting again hit restart and let it role.

So i start it and open up ctrl+alt+del to see wazza, when i see a bunch of random letter pop up. i remove that program and the same letter pop up twice i remove those two and a different random letter pops up then random numbers and just a whole crzy amount of obvious malware.

It calms down and I am down to an executable with the name of my friend. Which I crack a joke at him saying he is his own worst enemy.

and the thing I now hate most in this world though it gave me some good laughs, reader_s.

At this point i open msconfig and get rid of all the weird things that are starting and hit restart. Just to discover that all the entry i have stoped have been replaced by copy. So i basically did nothing but now i have the same file being opened checked and unchecked.

So i get to trying things out cuz i didn't assume it might be some kind of hulk virus and i start grabbing and deleting things which seem to obviously be off. He had a folder called start up with two files one called nhaupd32 uecupp32 which were part of the random processes starting and he had no idea what they were so I deleted the file, and stop them from starting up with msconfig. Restart and all good those two were gone.

I then check msconfig for things that look off and I figure I'll kill the program with my friends name. This is actually where i figure I'm dealing with something crzy cuz its in a folder but its obviously set to hidden. So i go to the folder options change it so i can see Hidden items but nothing happens. I figure i missclick and do it again and nothing. Turns out apparently something in his computer is setting it such that i can't see hidden files.

Figuring i'll deal with it later I move to reader_s.exe delete it stop the ms config. Turns out if you delete it it regens itself, and made a copy of itself in a different folder. Gave it a good laugh specially when i noticed it said it was from microsoft.

Then through reading random thing on the internet. I tried using Data execution and prevention which somehow made it such that i managed to stop reader_s the program from starting on the pc at startup. However randomly I got the good old BOD. entered last correct config. and it all worked out for the best. meanwhile found out he had a partition and that the one that was empty had a really weird executable and a bunch of files with the name of the things that i kept deleting at startup so deleted all of that, but I couldn't delete the executable called: icsogi. tried a bunch of random things but couldn't get rid of it period. might of been a good thing who knows :thumbsup:. anyways it stopped alot of random executable at startup. And through me not knowing what the hell that .exe was i changed it to .l just to keep it from doing anything to easily.

Then I tried to enter the good old internet on his computer to find out it opens for like .5 sec and closes. Then ran AVG to find out it runs for like .5 sec and closes. I can run avg in safemode, however when it opens the cmd window it stays open for like .5sec and closes meaning i can't get a diagnostic.

At this point i now get back to normal mode and somewhere along the way his sound driver died. Prob something i turned off in msconfig. But nothing i was worried about. Which brings me to where i am right now.

Staring straight at reader_s with no idea if it is Virut or not, and staring at an executable i know is there hidden, but i can't make it show.

Sry for my english I'm portuguese and It's a bit rusty.

Oh yeah and the weirdest thing though i still can't access anti-virus or the internet there are only: 31 proccess running.

Maybe I missed something I can copy the running process so I'll put it down:

System 77.656 K
Explorer 33.628K
Avgcsrvx 10784 K
Avgemc 1.060 K
Avgnsx 1.784 K
Avgrsx 272 K
Avgwdvc.exe 2.188 K
Btwdin.exe 3.201 K
Csrss.exe 3.548 K
ctfmon.exe 3.812 K
hkcmd.exe 4.684 K
hpwuSchd2 3.032 K
iffxtray 4.600 K
jusched 2.740 K
lsass 1.512 K
msconfig 5.280 K <--- have it on :flowers:
System Idle Process 28 K
services 6.216 K
smss 416 K
spoolsv 6.996 K
7 svchost 3.700 - 18.000 K
winlogon.exe 6.992 K
taskmgr 10.168 K
SynTpEnh 4.736 K
SynTpLpr 3.712 K

This is after I force stop all the other program which pile up on startup with ctrl alt del.

Wow wall of txt crits you for 900 dmg

Thanks so much to anyone who did even as much as just read this whole thing.
Help is appreciated :trumpet:

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:46 AM

Posted 08 October 2009 - 01:41 PM

Welcome to BC

If you definitely have reader_s. I would recommend a reformat and reinstall


Some types of malware will disable Malwarebytes Anti-Malware and other security tools. If MBAM will not install, try renaming it first.
  • Right-click on the mbam-setup.exe file file and rename it to mysetup.exe.
  • Double-click on mysetup.exe to start the installation.
  • If that did not work, then try renaming and changing the file extension. <- click this link if you do not see the file extension
  • Right-click on the mbam-setup.exe file, rename it to mysetup and change the .exe extension to .scr, .com, .pif, or .bat.
  • Then double-click on mysetup.scr (or whatever extension you renamed it) to begin installation.
If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.

Be sure to update MBAM through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install. Then perform a Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the report in your next reply.

Note: MBAM uses Inno Setup instead of the Windows Installer Service to install the program. If installation fails in normal mode, try installing in safe mode. Doing this is usually not advised as MBAM is designed to be at full power when running in normal mode and loses some effectiveness for detection & removal when used in safe mode. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Therefore, after completing a scan it is recommended to uninstall MBAM, then reinstall it in normal mode and perform another Quick Scan.



------------------------------------

The process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.


alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
---------------------------
Be sure to re-enable your AV and malware scan tools if they were disabled

================================



We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 VirutPwned me

VirutPwned me
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 09 October 2009 - 09:20 AM

Ok reading and working on it will edit when done.

Thanks :thumbsup:

Edit:

Question: Is it safe to use a pen? I definitely have a reader_s file. Though it says its Microsoft lol. Can't access internet on damaged laptop.

Downloading onto a pen and then will use it and put it aside i guess.

Edit 2:

Ok so After renaming imbam i managed to run it. However as soon as the window popped up and chose the language it automatically closed tryed several diff name and .scr but no go. the instalation window just got removed from processes.

Ran RootRepeal just fine under RootToy.exe not sure if the rename was needed just did it. Oh yea and i didn't even realise it but since I was trying safe mode to install mbam I ran it in safemode. Let me know if thats an issue.

Sry if this isn't as clean or perfect as possible but with no internet access and kinda scared to use a pen just going to write the log directly into here.

Drivers
---------------

None had a status. None of the file were visible.


All except the first one had the path
D:\WINDOWS\System32\Drivers\


Name: 814f1e0afd17f8599d0c19efd3f6dcf1.sys
Image Path: 814f1e0afd17f8599d0c19efd3f6dcf1.sys

Name: dump_atapi.sys

Name: dump_WMLIB.sys

Name: roottoy.sys


Hidden Locked Files
-----------------------

Path: d:\windows\nbtlog.txt <- small d and windows on purpose
Status: Size mismatch(API:1058796, Raw 1054290)

Path: D:\WINDOWS\system32\814f1e0afd17f8599d0c19efd3f6dcf1.sys <- same as driver one You could prob tell just to save ya checkin all the letter.
Status: Invisibe to windows API!

Path: D:\WINDOWS\system32\kbiwkmcbrpibnw.dat ]
Status: Invisibe to windows API! ]} 35 of these exept not only .dat, there are .tmp, and .dll

Such that

Path: D:\WINDOWS\system32\kbiwkm(10 random letter).dat/.tmp/.dll X 35
Status: Invisibe to windows API!

Sorry I kinda felt lazy bout copying everything down let me know if it is necessary.

Path: d:\windows\dllcache\ndis.sys <- small d and windows on purpose
Status: Size mismatch(API:182912, Raw: 212480)

Path: d:\windows\dllcache\btwdndis.sys <- small d and windows on purpose
Status: Size mismatch(API:182912, Raw: 148040)

Path: d:\windows\documents and settings\owner\definicoes locais\temp\63ee2a4c-1230-44fd-95a8-ca82ae1e2387.tmp <- small d and windows on purpose
Status: Size mismatch(API:65536, Raw: 0)

Path: d:\programas\software widcomm\bluetooth\bin\btwdnis.sys
Status: Size mismatch(API:182912, Raw: 148040)

Path: d:\windows\softwaredistribution\download\eade054874a65e64b0ef7051e3b7b212\ndis.sys
Status: Size mismatch(API:182912, Raw: 182656)

Path: d:\windows\documents and settings\owner\definicoes locais\temp\wer5a5e.dir00\sysdata.xml
Status: Size mismatch(API:408, Raw: 0)

Path: d:\windows\documents and settings\owner\definicoes locais\temporary internet files\content.ie5\2qtgtpnt\pic[1].jpg
Status: Size mismatch(API:24576, Raw: 0)

Path: d:\windows\documents and settings\owner\application data\macromedia\flash player\macromedia.com\support\flashplayer\sys
Status: Size mismatch(API:182912, Raw: 0)

Path: d:\windows\documents and settings\owner\application data\macromedia\flash player\macromedia.com\support\flashplayer\sys
Status: Size mismatch(API:182912, Raw: 0)

weird same entry twice guess it reached some character cutoff.

Stealth Objects
-----------------
Object: Hidden Module [Name: Kbiwkmnssfvpet.dll]
Process:svchost.exe (PID:412) Adress:0x10000000 Size:57344

Hidden Services
-------------------

Service Name: 814f1e0afd17f8599d0c19efd3f6dcf1
Image path: system32\814f1e0afd17f8599d0c19efd3f6dcf1.sys

Service Name:cvsdjxpb
Image Name: %SystemRoot%\system32\svchost.exe -k netsvcs

Service Name:kbiwkmafwbwvbn
Image Path: D:\Windows\system32\drivers\kbiwkmevxsilbl.sys
==EOF==

Thanks for your help man :flowers:

Edited by VirutPwned me, 09 October 2009 - 10:34 AM.


#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:46 AM

Posted 09 October 2009 - 04:41 PM

814f1e0afd17f8599d0c19efd3f6dcf1.sys
There's your rootkit

Before using your pen drive
Using a clean machine:
Be sure to hold down the shift key when inserting the pen drive

Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

========================================================

Using the log from your last post



Now that you were successful in creating a log you need to post it in our HJT forum Their they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that this log was all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck

Edited by garmanma, 09 October 2009 - 04:42 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 VirutPwned me

VirutPwned me
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 10 October 2009 - 01:45 PM

Thank you very much




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users