Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combo-fix unable to remove virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 jinesh

jinesh

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 16 April 2010 - 02:02 AM

Pasting in contents from other posts. ~ OB

Hello,

I have got this Bozic Virus on my PC. I have mentioned in points below the info I found about the virus on my PC and the series of events that occured:

1. The virus deleted AVG and didn't let me run spybot & hijack this.

2. It tries to send email when I put on the router and connect to internet.

3. It tried to shut down my computer when I ran Spybot and Hijack this after renaming the exe files of the softwares.

4. Spybot found a registry entries titled proRAT which had disabled auto protect and had shell command executions.

5. There is a file called Csrss.exe with a folder icon in my Users folder. I am pretty sure thats the virus since the original should be in 'System 32' folder.

6. I installed comodo firewall and it reported Csrss.exe as Shellcode Injection in the log. I think its attaching itself to the system process to hide.

7. I have got this software called 'File Assassin' Which deletes files by unlocking handles from the running processes so I can delete the Csrss.exe file. But when I tried to delete it windows crashed and restarted.
File Assassin has got an option of deleting the file before windows starts So I was wondering should I delete the File? Will it cause any problem?

8. When I plugged in my USB flash drive the virus copied itself on it. Below is the text from the autorun.inf file on the flash drive:
[autorun
-dSAƒ—◊*ƒ◊‰◊*ƒŒdakLDKWQdAKLS??DKWLQ?Dƒ∆€‹‘∆€‹‘‚…∆ά…‚‘€€‘ƒ‘€ƒ‘€›∆Ÿ……‚٬ƒ∆‚‘ƒ∆‚ηŸ˜˚∆‘ƒ‰˜€ƒ∆—‘∆ƒˆʬƒ…›‚ˆ‚‰ƒ∆∆Ÿƒˆ˝‚‰›‰‚˚‘ƒ∆˜‘€ƒ∆—…
open=VANJA/bozic.exe
action=Open folder†to view files using†Windows†Explorer
icon=VANJA/bozic.exe
Shell\open\command=VANJA/bozic.exe
shell\open\command=VANJA/bozic.exe
USEAUTOPLAY=1

Vanja Bozic sounds like an italian name.

So anyone has any suggestions for what should I do to get rid of this malware?

==================

Hello,

I have a hidden Csrss.exe file in my users Folder and it has folder icon. I saw in task manager that it has Cpu Usage priority set to high. And the virus has deleted my AVG installation and won't let spybot and hijack this run. So when I ran spybot after renaming the spybot filename the virus tried to shutdown my computer, I tried to stop shutdown by aborting it in run command but the shutdown timer just kept on apprearing.
Also I have tried to delete the file but it wont let me so I used a program called File Assassin. When I try to use File Assassin on Csrss the computer restarts.

Virus has also modified the hosts file pointing almost all the help sites and anti virus sites to the IP 101.78.193.115. Random files keep on appearing in temp and temporary internet files for e.g. gftr.exe, nyluta.exe clr.exe etc.

When I connect to the internet on the machine scvhost.exe tries to send emails using my mail program.

Please can anyone tell me how to get rid of this virus.

End of added content. ~ OB

ComboFix 10-04-11.06 - Thacker 15/04/2010 23:55:40.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.495.164 [GMT 5.5:30]
Running from: c:\documents and settings\Thacker\Desktop\New Folder\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Quick Heal 10.00 *On-access scanning disabled* (Outdated) {05C1329D-F0E0-4B19-9D15-54F9BC3ADE87}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Thacker\Local Settings\Temporary Internet Files\favicon.ico
c:\program files\INSTALL.LOG
c:\windows\eSellerateEngine.dll
c:\windows\system32\CFSCODE.DLL
c:\windows\system32\cncs32.dll
c:\windows\system32\mcicode.dll
c:\windows\system32\shutdown .exe
c:\windows\system32\userini.exe
c:\windows\system32\w32apiw.dll
c:\windows\system32\winupd01.exe
c:\documents and settings\Thacker\csrss.exe . . . . failed to delete
c:\documents and settings\Thacker\secupdat.dat . . . . failed to delete
c:\windows\system32\secupdat.dat . . . . failed to delete


Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected
Restored copy from - c:\windows\system32\dllcache\beep.sys


Can anyone tell me what can I do to fix this?

Edited by Orange Blossom, 17 April 2010 - 11:08 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:11 PM

Posted 19 April 2010 - 07:46 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:11 PM

Posted 25 April 2010 - 05:24 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users