Hello,
I have got this Bozic Virus on my PC. I have mentioned in points below the info I found about the virus on my PC and the series of events that occured:
1. The virus deleted AVG and didn't let me run spybot & hijack this.
2. It tries to send email when I put on the router and connect to internet.
3. It tried to shut down my computer when I ran Spybot and Hijack this after renaming the exe files of the softwares.
4. Spybot found a registry entries titled proRAT which had disabled auto protect and had shell command executions.
5. There is a file called Csrss.exe with a folder icon in my Users folder. I am pretty sure thats the virus since the original should be in 'System 32' folder.
6. I installed comodo firewall and it reported Csrss.exe as Shellcode Injection in the log. I think its attaching itself to the system process to hide.
7. I have got this software called 'File Assassin' Which deletes files by unlocking handles from the running processes so I can delete the Csrss.exe file. But when I tried to delete it windows crashed and restarted.
File Assassin has got an option of deleting the file before windows starts So I was wondering should I delete the File? Will it cause any problem?
8. When I plugged in my USB flash drive the virus copied itself on it. Below is the text from the autorun.inf file on the flash drive:
[autorun
-dSAÍÆ’—◊¿*Æ’Àâ—Š¿â€°Àâ—Šä*Æ’äÅ’ådakLDKWQdAKLS??DKWLQ?Dƒ∆¿â‚¬â€¹â€˜¬âˆ†â‚¬â€¹¿â€˜â€šÎ…À¬÷∆Èά÷…‚Α€À¡¬¡â‚¬â€˜Æ’·Ò‘€¬¡Æ’‘€›∆¬À÷Ÿ…À¬÷…¡â€š·Ù¬Æ’∆‚‘ƒ∆‚ηÊÀ÷Ÿ˜˚∆‘ƒ¸â€°ËœÙ€ƒ∆—Α∆ÀƒˆÈʬÀÆ’÷…›‚·Ë†â€šâ€°·Ùƒ∆¬À¡âˆ†Å¸÷¬ÀÆ’·Ë†Ë‚Ή·â€º÷¬¸÷‰¸â€šËšâ€˜Æ’∆¸Ò˜‘€ƒ∆—À«â€¦
open=VANJA/bozic.exe
action=Open folder†to view files using†Windows†Explorer
icon=VANJA/bozic.exe
Shell\open\command=VANJA/bozic.exe
shell\open\command=VANJA/bozic.exe
USEAUTOPLAY=1
Vanja Bozic sounds like an italian name.
So anyone has any suggestions for what should I do to get rid of this malware?
==================
Hello,
I have a hidden Csrss.exe file in my users Folder and it has folder icon. I saw in task manager that it has Cpu Usage priority set to high. And the virus has deleted my AVG installation and won't let spybot and hijack this run. So when I ran spybot after renaming the spybot filename the virus tried to shutdown my computer, I tried to stop shutdown by aborting it in run command but the shutdown timer just kept on apprearing.
Also I have tried to delete the file but it wont let me so I used a program called File Assassin. When I try to use File Assassin on Csrss the computer restarts.
Virus has also modified the hosts file pointing almost all the help sites and anti virus sites to the IP 101.78.193.115. Random files keep on appearing in temp and temporary internet files for e.g. gftr.exe, nyluta.exe clr.exe etc.
When I connect to the internet on the machine scvhost.exe tries to send emails using my mail program.
Please can anyone tell me how to get rid of this virus.
End of added content. ~ OB
ComboFix 10-04-11.06 - Thacker 15/04/2010 23:55:40.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.495.164 [GMT 5.5:30]
Running from: c:\documents and settings\Thacker\Desktop\New Folder\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Quick Heal 10.00 *On-access scanning disabled* (Outdated) {05C1329D-F0E0-4B19-9D15-54F9BC3ADE87}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Thacker\Local Settings\Temporary Internet Files\favicon.ico
c:\program files\INSTALL.LOG
c:\windows\eSellerateEngine.dll
c:\windows\system32\CFSCODE.DLL
c:\windows\system32\cncs32.dll
c:\windows\system32\mcicode.dll
c:\windows\system32\shutdown .exe
c:\windows\system32\userini.exe
c:\windows\system32\w32apiw.dll
c:\windows\system32\winupd01.exe
c:\documents and settings\Thacker\csrss.exe . . . . failed to delete
c:\documents and settings\Thacker\secupdat.dat . . . . failed to delete
c:\windows\system32\secupdat.dat . . . . failed to delete
Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected
Restored copy from - c:\windows\system32\dllcache\beep.sys
Can anyone tell me what can I do to fix this?
Edited by Orange Blossom, 17 April 2010 - 11:08 PM.