Virus Attack..... Help!
Hi,
one of our computers is infected with a virus and its been impossible to clean/delete it. some of the symptoms presented are:
1.) disables taskmanager and control panel/add remove programs
2.) disables any antivirus website when open (i tried opening bitdefender to scan online in IE6, other sites are surfing fine).
3.) the cpu usage is 80-100% on startup
4.)the computer has become very slow in responding to commands
5.) are suspect process that once deleted, reappear again, almost immediately e.g.
a.) zero.txt
b.) adobeR.exe
c.) blank.doc
d.) scvvhost.exe
e.) unoccupied.reg
f.) d6fagcs8.cmd
g.) ohct8ybw.bat
h.) 2ifetri.cmd
i.) hole.zip
j) 3wcxx91.cmd
k.) search protection.exe
l.) explorer.exe
m.) <zombie>
I read a post on the topic hidden process and downloaded the BDAspySetup.exe and also HijackThis.
can someone kindly analysis the results from these two tools and advice on how to deal with the virus attack.
HijackThis Log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:39:12 PM, on 2/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllChache\Empty.jpg
C:\WINDOWS\system32\dllChache\Blank.doc
C:\WINDOWS\system32\dllChache\Zero.txt
C:\WINDOWS\system32\dllChache\Hole.zip
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\dllChache\Unoccupied.reg
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdVantage\AdVantage.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\SoftwareDistribution\Download\2d7809720343ee9223ce4d88d99bf3c2\update\update.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:3128
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, "C:\WINDOWS\system32\M5VBVM60.EXE StartUp"
O1 - Hosts: 82.146.60.44 www.postbank.de
O1 - Hosts: 82.146.60.44 postbank.de
O1 - Hosts: 82.146.60.44 banking.postbank.de
O1 - Hosts: 82.146.60.44 direkt.postbank.de
O1 - Hosts: 82.146.60.44 www.smile.co.uk
O1 - Hosts: 82.146.60.44 smile.co.uk
O1 - Hosts: 82.146.60.44 cahoot.com
O1 - Hosts: 82.146.60.44 www.cahoot.com
O1 - Hosts: 82.146.60.44 www.cahoot.co.uk
O1 - Hosts: 82.146.60.44 cahoot.co.uk
O1 - Hosts: 82.146.60.44 www.co-operativebank.co.uk
O1 - Hosts: 82.146.60.44 co-operativebank.co.uk
O1 - Hosts: 82.146.60.44 www.co-operativebank.com
O1 - Hosts: 82.146.60.44 co-operativebank.com
O1 - Hosts: 82.146.60.44 personal.barclays.co.uk
O1 - Hosts: 82.146.60.44 barclays.co.uk
O1 - Hosts: 82.146.60.44 ibank.barclays.co.uk
O1 - Hosts: 82.146.60.44 www.barclays.co.uk
O1 - Hosts: 82.146.60.44 barclays.touchclarity.com
O1 - Hosts: 82.146.60.44 hsbc.co.uk
O1 - Hosts: 82.146.60.44 www.hsbc.co.uk
O1 - Hosts: 82.146.60.44 hsbc.touchclarity.com
O1 - Hosts: 82.146.60.44 www1.member-hsbc-group.com
O1 - Hosts: 82.146.60.44 lloydstsb.co.uk
O1 - Hosts: 82.146.60.44 www.lloydstsb.co.uk
O1 - Hosts: 82.146.60.44 lloydstsb.com
O1 - Hosts: 82.146.60.44 www.lloydstsb.com
O1 - Hosts: 82.146.60.44 mi.lloydstsb.com
O1 - Hosts: 82.146.60.44 www.woolwich.co.uk
O1 - Hosts: 82.146.60.44 woolwich.co.uk
O1 - Hosts: 82.146.60.44 www.deutsche-bank.de
O1 - Hosts: 82.146.60.44 deutsche-bank.de
O1 - Hosts: 82.146.60.44 meine.deutsche-bank.de
O1 - Hosts: 82.146.60.44 www.anbusiness.com
O1 - Hosts: 82.146.60.44 anbusiness.com
O1 - Hosts: 82.146.60.44 www.abbeyinternational.com
O1 - Hosts: 82.146.60.44 www.barclays.com
O1 - Hosts: 82.146.60.44 barclays.com
O1 - Hosts: 82.146.60.44 ibank.internationalbanking.barclays.com
O1 - Hosts: 82.146.60.44 offshore.hsbc.com
O1 - Hosts: 82.146.60.44 www.lloydstsb-offshore.com
O1 - Hosts: 82.146.60.44 lloydstsb-offshore.com
O1 - Hosts: 78.24.218.208 lacaixa.es
O1 - Hosts: 78.24.218.208 portal.lacaixa.es
O1 - Hosts: 78.24.218.208 www.lacaixa.es
O1 - Hosts: 78.24.218.208 lo1.lacaixa.es
O1 - Hosts: 78.24.218.208 lo2.lacaixa.es
O1 - Hosts: 78.24.218.208 lo.lacaixa.es
O1 - Hosts: 82.146.60.44 citibank.de
O1 - Hosts: 82.146.60.44 www.citibank.de
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [uIUCU] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Microsoft Network Services Controller] C:\WINDOWS\system32\mmsvc32.exe
O4 - HKLM\..\Run: [spools Service Controller] C:\WINDOWS\system32\spools.exe
O4 - HKLM\..\Run: [blank AntiViri] C:\AUT0EXEC.BAT StartUp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [avpa] C:\WINDOWS\system32\avpo.exe
O4 - HKCU\..\Run: [AdVantage] "C:\Program Files\AdVantage\AdVantage.exe"
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
O4 - HKCU\..\Run: [secure64] C:\WINDOWS\system32\dllcache\Regedit32.com StartUp
O4 - HKCU\..\Run: [secure32] C:\WINDOWS\system32\dllcache\Shell32.com StartUp
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EF7FB86-32D5-4496-904C-80ABD9CEF302}: NameServer = 213.147.64.7,213.147.64.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{5EF7FB86-32D5-4496-904C-80ABD9CEF302}: NameServer = 213.147.64.7,213.147.64.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{5EF7FB86-32D5-4496-904C-80ABD9CEF302}: NameServer = 213.147.64.7,213.147.64.8
O21 - SSODL: msbu32.dll - {C4D7F3F0-8BC7-E962-78D9-D3AC728F6EA7} - c:\windows\system32\msbu32.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
--
End of file - 8876 bytes
NB: thanks farbar, i'll try the CleanX-II.exe
/applications/core/interface/file/attachment.php?id=1538" data-fileid="1538" rel="">bd_sys_log.xml
Comments
-
Suspicious files (please archive them in a password-protected - preferably using the password "infected" - zip file and attach them to a post on the forum so that we can take a look at them):
C:\WINDOWS\system32\dllChache\Empty.jpg
C:\WINDOWS\system32\dllChache\Blank.doc
C:\WINDOWS\system32\dllChache\Zero.txt
C:\WINDOWS\system32\dllChache\Hole.zip
C:\WINDOWS\system32\dllChache\Unoccupied.reg
C:\WINDOWS\system32\M5VBVM60.EXE
C:\WINDOWS\system32\dllcache\Regedit32.com
C:\WINDOWS\system32\dllcache\Shell32.com
C:\WINDOWS\system32\amvo.exe
Also, it seems that whatever infection you have has a phising component to it. If you use any of the sites present in you hijackthis log, (ie www.postbank.de, www.cahoot.com and so on), make sure to ( a ) get on a clean computer and ( b ) change your credentials (passwords) immediately as they most probably has been captured and sent to a third party!
A little off-topic: it seems that the computer has only McAfee installed (no BitDefender), so even if detection will be added for the files, it won't be of much use. You could use the BitDefender Online Scanner to make use of those detections.
Best regards.0 -
Hi mgsadmin,
You have multiple infections: worms, Trojans, adware agents, and a keylogger. you should not be online unless is needed for disinfection. Avoid rebooting unless is needed for disinfection. I suggest you follow the advise given to you by Cd-MaN if you had sensitive information on this computer. They are no secret any more.
You have more infected/suspicious files but I suppose some of them can be already detected by BitDefender.
So please send the files as attachment as it is said, you can read about how to do it here:Virus Submission
Meanwhile I go through your log and give you the removal instructions.0
