Virus Attack..... Help!

Hi,

one of our computers is infected with a virus and its been impossible to clean/delete it. some of the symptoms presented are:

1.) disables taskmanager and control panel/add remove programs

2.) disables any antivirus website when open (i tried opening bitdefender to scan online in IE6, other sites are surfing fine).

3.) the cpu usage is 80-100% on startup

4.)the computer has become very slow in responding to commands

5.) are suspect process that once deleted, reappear again, almost immediately e.g.

a.) zero.txt

b.) adobeR.exe

c.) blank.doc

d.) scvvhost.exe

e.) unoccupied.reg

f.) d6fagcs8.cmd

g.) ohct8ybw.bat

h.) 2ifetri.cmd

i.) hole.zip

j) 3wcxx91.cmd

k.) search protection.exe

l.) explorer.exe

m.) <zombie>

I read a post on the topic hidden process and downloaded the BDAspySetup.exe and also HijackThis.

can someone kindly analysis the results from these two tools and advice on how to deal with the virus attack.

HijackThis Log file:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:39:12 PM, on 2/18/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\dllChache\Empty.jpg

C:\WINDOWS\system32\dllChache\Blank.doc

C:\WINDOWS\system32\dllChache\Zero.txt

C:\WINDOWS\system32\dllChache\Hole.zip

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\system32\dllChache\Unoccupied.reg

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AdVantage\AdVantage.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\SoftwareDistribution\Download\2d7809720343ee9223ce4d88d99bf3c2\update\update.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:3128

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, "C:\WINDOWS\system32\M5VBVM60.EXE StartUp"

O1 - Hosts: 82.146.60.44 www.postbank.de

O1 - Hosts: 82.146.60.44 postbank.de

O1 - Hosts: 82.146.60.44 banking.postbank.de

O1 - Hosts: 82.146.60.44 direkt.postbank.de

O1 - Hosts: 82.146.60.44 www.smile.co.uk

O1 - Hosts: 82.146.60.44 smile.co.uk

O1 - Hosts: 82.146.60.44 cahoot.com

O1 - Hosts: 82.146.60.44 www.cahoot.com

O1 - Hosts: 82.146.60.44 www.cahoot.co.uk

O1 - Hosts: 82.146.60.44 cahoot.co.uk

O1 - Hosts: 82.146.60.44 www.co-operativebank.co.uk

O1 - Hosts: 82.146.60.44 co-operativebank.co.uk

O1 - Hosts: 82.146.60.44 www.co-operativebank.com

O1 - Hosts: 82.146.60.44 co-operativebank.com

O1 - Hosts: 82.146.60.44 personal.barclays.co.uk

O1 - Hosts: 82.146.60.44 barclays.co.uk

O1 - Hosts: 82.146.60.44 ibank.barclays.co.uk

O1 - Hosts: 82.146.60.44 www.barclays.co.uk

O1 - Hosts: 82.146.60.44 barclays.touchclarity.com

O1 - Hosts: 82.146.60.44 hsbc.co.uk

O1 - Hosts: 82.146.60.44 www.hsbc.co.uk

O1 - Hosts: 82.146.60.44 hsbc.touchclarity.com

O1 - Hosts: 82.146.60.44 www1.member-hsbc-group.com

O1 - Hosts: 82.146.60.44 lloydstsb.co.uk

O1 - Hosts: 82.146.60.44 www.lloydstsb.co.uk

O1 - Hosts: 82.146.60.44 lloydstsb.com

O1 - Hosts: 82.146.60.44 www.lloydstsb.com

O1 - Hosts: 82.146.60.44 mi.lloydstsb.com

O1 - Hosts: 82.146.60.44 www.woolwich.co.uk

O1 - Hosts: 82.146.60.44 woolwich.co.uk

O1 - Hosts: 82.146.60.44 www.deutsche-bank.de

O1 - Hosts: 82.146.60.44 deutsche-bank.de

O1 - Hosts: 82.146.60.44 meine.deutsche-bank.de

O1 - Hosts: 82.146.60.44 www.anbusiness.com

O1 - Hosts: 82.146.60.44 anbusiness.com

O1 - Hosts: 82.146.60.44 www.abbeyinternational.com

O1 - Hosts: 82.146.60.44 www.barclays.com

O1 - Hosts: 82.146.60.44 barclays.com

O1 - Hosts: 82.146.60.44 ibank.internationalbanking.barclays.com

O1 - Hosts: 82.146.60.44 offshore.hsbc.com

O1 - Hosts: 82.146.60.44 www.lloydstsb-offshore.com

O1 - Hosts: 82.146.60.44 lloydstsb-offshore.com

O1 - Hosts: 78.24.218.208 lacaixa.es

O1 - Hosts: 78.24.218.208 portal.lacaixa.es

O1 - Hosts: 78.24.218.208 www.lacaixa.es

O1 - Hosts: 78.24.218.208 lo1.lacaixa.es

O1 - Hosts: 78.24.218.208 lo2.lacaixa.es

O1 - Hosts: 78.24.218.208 lo.lacaixa.es

O1 - Hosts: 82.146.60.44 citibank.de

O1 - Hosts: 82.146.60.44 www.citibank.de

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [uIUCU] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S

O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [Microsoft Network Services Controller] C:\WINDOWS\system32\mmsvc32.exe

O4 - HKLM\..\Run: [spools Service Controller] C:\WINDOWS\system32\spools.exe

O4 - HKLM\..\Run: [blank AntiViri] C:\AUT0EXEC.BAT StartUp

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [avpa] C:\WINDOWS\system32\avpo.exe

O4 - HKCU\..\Run: [AdVantage] "C:\Program Files\AdVantage\AdVantage.exe"

O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe

O4 - HKCU\..\Run: [secure64] C:\WINDOWS\system32\dllcache\Regedit32.com StartUp

O4 - HKCU\..\Run: [secure32] C:\WINDOWS\system32\dllcache\Shell32.com StartUp

O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{5EF7FB86-32D5-4496-904C-80ABD9CEF302}: NameServer = 213.147.64.7,213.147.64.8

O17 - HKLM\System\CS1\Services\Tcpip\..\{5EF7FB86-32D5-4496-904C-80ABD9CEF302}: NameServer = 213.147.64.7,213.147.64.8

O17 - HKLM\System\CS2\Services\Tcpip\..\{5EF7FB86-32D5-4496-904C-80ABD9CEF302}: NameServer = 213.147.64.7,213.147.64.8

O21 - SSODL: msbu32.dll - {C4D7F3F0-8BC7-E962-78D9-D3AC728F6EA7} - c:\windows\system32\msbu32.dll

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

End of file - 8876 bytes

NB: thanks farbar, i'll try the CleanX-II.exe

/applications/core/interface/file/attachment.php?id=1538" data-fileid="1538" rel="">bd_sys_log.xml

Find more posts tagged with

Comments

Cd-MaN

Suspicious files (please archive them in a password-protected - preferably using the password "infected" - zip file and attach them to a post on the forum so that we can take a look at them):

C:\WINDOWS\system32\dllChache\Empty.jpg

C:\WINDOWS\system32\dllChache\Blank.doc

C:\WINDOWS\system32\dllChache\Zero.txt

C:\WINDOWS\system32\dllChache\Hole.zip

C:\WINDOWS\system32\dllChache\Unoccupied.reg

C:\WINDOWS\system32\M5VBVM60.EXE

C:\WINDOWS\system32\dllcache\Regedit32.com

C:\WINDOWS\system32\dllcache\Shell32.com

C:\WINDOWS\system32\amvo.exe

Also, it seems that whatever infection you have has a phising component to it. If you use any of the sites present in you hijackthis log, (ie www.postbank.de, www.cahoot.com and so on), make sure to ( a ) get on a clean computer and ( b ) change your credentials (passwords) immediately as they most probably has been captured and sent to a third party!

A little off-topic: it seems that the computer has only McAfee installed (no BitDefender), so even if detection will be added for the files, it won't be of much use. You could use the BitDefender Online Scanner to make use of those detections.

Best regards.

farbar

Hi mgsadmin,

You have multiple infections: worms, Trojans, adware agents, and a keylogger. you should not be online unless is needed for disinfection. Avoid rebooting unless is needed for disinfection. I suggest you follow the advise given to you by Cd-MaN if you had sensitive information on this computer. They are no secret any more.

You have more infected/suspicious files but I suppose some of them can be already detected by BitDefender.

So please send the files as attachment as it is said, you can read about how to do it here:Virus Submission

Meanwhile I go through your log and give you the removal instructions.