Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Protection System and more MALWARE [Solved]

Started by DrLucky , Jul 23 2009 11:25 PM

This topic is locked

#1
DrLucky

Posted 23 July 2009 - 11:25 PM

Member

Member
22 posts

Hi

I used Geekstogo a few years back for help with a desktop of mine. Because of your great success, I decided to try here again when my parents called me and told me their laptop was under attack.

The Story:

The first issue was a different scareware, systemprotect, I think, that one of my folks trusted and installed onto their system (Laptop, Windows XP Pro SP2). It changed their back ground to an entire malware, virus, adware warning. (Hilariously over the top and misspelled...)
It also caused constant popups warning of non-existent sercurity alerts (like more scarewares do.
They had NO anti-anything installed... so I quickly installed Spybot, Threatfire, ad-aware and Malware Bytes.
The malware blocked Threatfire and Malware bytes from installing, it prevented ad-aware from running and kept spybot S&D from removing the files it did scan and find.

A friend tried to fix it. Somehow, he was able to remove the issues by following an online guide which instructed him on what files to delete and what to change in the registry.

Everything seemed fine, and the computer was back to normal until the next day when my dad started to use internet explorer. Wherever he went, it installed "Protection System" and made things much worse.

The current issues are the following:

Protection system is installed and running.
Every 30 seconds, it shows a balloon from the task panel warning of an imminent threat.
Every 2 minutes it pops up either with a similar warning or one that says "A computer at this IP address is attacking your computer..ect...
It ever came up with a warning that "Malware Bytes" is a high threat and must be removed immediately. (MalwareBytes was installed in the interim of the first and second problem)
It adds porn links to the desktop.
The wallpaper is an active desktop recovery screen.
The malware also blocks access to some websites. It completely blocks access to some antivirus sites and gives this warning to "popular" sites like facebook, myspace or ebay:

"Restricted Site!
This web site is restricted based on your security preferences.
Your system is infected. Please activate your antivirus software."
_______

I have tried all my programs previously mentioned. and I completed your "Malware and Spyware Cleaning Guide" Here are the results:

SysRestorePoint - would not run
Erunt - Completed step
MalwareBytes - will not run
Numerous antivirus programs...I didn't try them all, but I wasn't having any luck with the ones I did try
Windows Updated
I didn't risk a rebot since most of the previous didn't work
RootRepeal - worked:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:			2009/07/24 00:42
Program Version:		Version 1.3.2.0
Windows Version:		Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB1B45000	Size: 98304	File Visible: No	Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79DD000	Size: 8192	File Visible: No	Signed: -
Status: -

Name: hjgruixfumujai.sys
Image Path: C:\WINDOWS\system32\drivers\hjgruixfumujai.sys
Address: 0xB1F38000	Size: 159744	File Visible: -	Signed: -
Status: Hidden from the Windows API!

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xF7A69000	Size: 2560	File Visible: No	Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB1597000	Size: 49152	File Visible: No	Signed: -
Status: -

Hidden Services
-------------------
Service Name: hjgruisqtenbmq
Image PathC:\WINDOWS\system32\drivers\hjgruixfumujai.sys

Service Name: UACd.sys
Image PathC:\WINDOWS\system32\drivers\UACcqokxehkrt.sys

==EOF==

OTL - Worked (Log attached)

That's about it...
thanks for any help I will get...
I am awaiting your response.

Kris

Attached Files

OTL.Txt 95.82KB 142 downloads

Edited by DrLucky, 24 July 2009 - 01:21 AM.

#2
RatHat

Posted 23 July 2009 - 11:56 PM

Ex Malware Expert

Expert
7,829 posts

Hi there,

Welcome to GeeksToGo.

OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with.

Please ensure you have word wrap turned off in Notepad. To do this, open Notepad, choose Format, then ensure Word Wrap is Un-checked. (Word Wrap makes reading your logs difficult).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please read this Combofix tutorial before continuing, then follow the instructions below.

Download ComboFix from Here or Here to your Desktop. (If you already have ComboFix, please delete it and download this new version).

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
When finished, it shall produce a log for you. Save this log to your desktop as Combofix.txt and post it in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Regards,
RatHat

#3
DrLucky

Posted 24 July 2009 - 12:11 AM

Member

Topic Starter
Member
22 posts

Thanks for the fast reply RedHat

I renamed and downloaded combofix from the first link. After running the exe, a legit looking warning came up saying that the combofix files had been compromised and that I needed to download it again from bleepingcomputer.com. I then deleted the exe and tried to download it from the second link, but my browser said the link was dead (it could be the malware blocking it though.

thanks,

Kris

#4
RatHat

Posted 24 July 2009 - 12:22 AM

Ex Malware Expert

Expert
7,829 posts

Kris,

Download it from here, then run it as shown above. Let me know when done so I can delete it. I have already renamed it.

#5
DrLucky

Posted 24 July 2009 - 12:32 AM

Member

Topic Starter
Member
22 posts

nope, same issue

here is the exact error:

!! ALERT !! It is NOT SAFE to continue1

The contents of the ComboFix package has been compromised.
Please download a fresh copy from:

http://www.bleepingc...to-use-combofix

Note: You may be infected with a file patching virus "Virut'

#6
RatHat

Posted 24 July 2009 - 12:37 AM

Ex Malware Expert

Expert
7,829 posts

OK. This is not good Kris. If it is Virut, the only cure is to reformat and reinstall.

Virut is a file infecter that will infect every executable file on a computer, along with other file types.

Lets run a couple of checks to see if the machine is indeed infected with Virut.

I would like you to upload a file to be scanned

Please go to VirSCAN.org
Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
- C:\Windows\explorer.exe
Click on the Upload button
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Open Notepad and paste the contents into a new Notepad file using Ctrl and V at the same time.
Save the notepad file to your desktop as VirScan.txt and copy the contents into your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Dr.Web CureIt to your desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, select Complete scan.
Click the green arrow at the right, and the scan will start.
Click Yes to all if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click File and choose Save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

#7
DrLucky

Posted 24 July 2009 - 12:49 AM

Member

Topic Starter
Member
22 posts

Believe it or not, but it wouldn't copy the log, so I did it manually...

or you can see it here:
http://virscan.org/r...266020d71f.html

File information
	File Name : 	  explorer.exe
	File Size : 	  1054208 byte
	File Type : 	  PE32 executable for MS Windows (GUI) Intel 80386 32-bit
	MD5 : 	  ae339b02f8ccae76199e9d985e7d609d
	SHA1 : 	  c932dd0de7da2993175c094cd38d8b3e74c159c1

Scanner results
	Scanner results : 	  32% Scanner(12/38) found malware!
	Time : 	  2009/07/24 02:38:35 (EDT)
	Scanner ↓ 	Engine Ver 	Sig Ver 	Sig Date 	Scan result 	Time
	a-squared 	4.5.0.3 	20090723202354 	2009-07-23 	
	Trojan.Win32.Patched!IK
		1.037
	AhnLab V3 	2009.07.24.02 	2009.07.24 	2009-07-24 	
	-
		0.822
	AntiVir 	8.2.0.228 	7.1.5.23 	2009-07-23 	
	W32/Virut.Gen
		0.420
	Antiy 	2.0.18 	20090722.2632680 	2009-07-22 	
	-
		0.044
	Arcavir 	2009 	200907231922 	2009-07-23 	
	Heur.W32
		0.116
	Authentium 	5.1.1 	200907232206 	2009-07-23 	
	W32/Virut.AI!Generic (Heuristic)
		1.985
	AVAST! 	4.7.4 	090723-0 	2009-07-23 	
	-
		0.053
	AVG 	8.5.288 	270.13.26/2257 	2009-07-24 	
	-
		0.502
	BitDefender 	7.81008.3849296 	7.26772 	2009-07-24 	
	-
		3.364
	CA (VET) 	9.0.0.143 	31.6.6635 	2009-07-24 	
	-
		7.521
	ClamAV 	0.95.2 	9609 	2009-07-24 	
	-
		0.161
	Comodo 	3.10 	1749 	2009-07-23 	
	-
		1.697
	CP Secure 	1.1.0.715 	2009.07.24 	2009-07-24 	
	-
		12.138
	Dr.Web 	4.44.0.9170 	2009.07.23 	2009-07-23 	
	-
		5.225
	F-Prot 	4.4.4.56 	20090723 	2009-07-23 	
	Possible W32/Virut.AI!Generic
		1.463
	F-Secure 	5.51.6100 	2009.07.24.02 	2009-07-24 	
	-
		0.090
	Fortinet 	2.81-3.120 	10.639 	2009-07-23 	
	-
		0.375
	GData 	19.6660/19.409 	20090724 	2009-07-24 	
	-
		6.885
	Ikarus 	T3.1.01.64 	2009.07.23.73089 	2009-07-23 	
	Trojan.Win32.Patched
		3.714
	JiangMin 	11.0.800 	2009.07.24 	2009-07-24 	
	-
		12.164
	Kaspersky 	5.5.10 	2009.07.24 	2009-07-24 	
	-
		0.056
	KingSoft 	2009.2.5.15 	2009.7.24.7 	2009-07-24 	
	-
		2.708
	McAfee 	5.3.00 	5686 	2009-07-23 	
	New Win32.g2
		3.091
	Microsoft 	1.4903 	2009.07.24 	2009-07-24 	
	Virus:Win32/Sqraw.gen!A
		6.116
	mks_vir 	2.01 	2009.07.15 	2009-07-15 	
	Trojan.Downloader.Vbs.Psyme.E
		4.567
	Norman 	6.01.09 	6.01.00 	2009-07-22 	
	-
		4.027
	nProtect 	20090724.01 	4931384 	2009-07-24 	
	-
		13.285
	Panda 	9.05.01 	2009.07.23 	2009-07-23 	
	Suspicious file
		10.560
	Quick Heal 	10.00 	2009.07.23 	2009-07-23 	
	W32.Virut.G
		4.911
	Rising 	20.0 	21.39.40.00 	2009-07-24 	
	-
		1.624
	Sophos 	2.88.0 	4.43 	2009-07-24 	
	-
		3.017
	Sunbelt 	5277 	5277 	2009-07-22 	
	-
		1.737
	Symantec 	1.3.0.24 	20090723.003 	2009-07-23 	
	-
		0.094
	The Hacker 	6.3.4.3 	v00373 	2009-07-23 	
	-
		2.794
	Trend Micro 	8.700-1004 	6.308.04 	2009-07-23 	
	PE_VIRUX.J
		0.037
	VBA32 	3.12.10.9 	20090723.1537 	2009-07-23 	
	-
		1.897
	ViRobot 	20090721 	2009.07.21 	2009-07-21 	
	-
		0.456
	VirusBuster 	4.5.11.10 	10.109.8/1824482 	2009-07-23 	
	-
		2.946

http://virscan.org/r...266020d71f.html

the download link for Dr.Web CureIt is either broken or blocked.

Edited by DrLucky, 24 July 2009 - 12:55 AM.

#8
RatHat

Posted 24 July 2009 - 01:16 AM

Ex Malware Expert

Expert
7,829 posts

Kris,

Well, I'm afraid I have bad news for you.

You have been infected with a polymorphic file infector named Virut. This infection will spread to every executable file in your computer, and unfortunately the only cure for it is to Reformat and Reinstall.

Right now, the best thing you can do is to backup, preferably to CD, all your important data, documents, pictures, movies, and songs.

DO NOT backup any applications or installers and DO NOT backup any files with the following extensions:

.exe
.scr
.htm
.html
.xml
.zip
.rar

For more information on Virut, and why you need to reformat, have a read of miekiemoes blog here.

To find out how to carry out an XP Reformat and Reinstall, please see this page. If you are using Vista, then check this page instead.

Once you have reformatted and reinstalled Windows, have a look at this page for some useful tips on staying clean, along with links to some freeware to help.

To find out more information about how you may have got infected in the first place, you can read this article.

I am sorry I cannot give any better news.

Regards,
RatHat

#9
DrLucky

Posted 24 July 2009 - 01:38 AM

Member

Topic Starter
Member
22 posts

Ok, thanks for the news.

I will back up their emails, pictures and documents.

Do you have any suggestions for what I can scan those files with just in case?

Also is there any danger in copying them to a flash drive?

Lastly, they want to keep their internet shortcuts, which are html, of course...
is there any way to save them?

thanks,
Kris

#10
RatHat

Posted 24 July 2009 - 02:26 AM

Ex Malware Expert

Expert
7,829 posts

Kris,

Save the shortcuts as a text file instead of an HTML file. That should then be safe.

Use the following program to make a USB drive safe by installing it and running it on a clean computer:

Download Flash_Disinfector.exe by sUBs from here or here and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Scan the USB drive before copying anything to any clean machine.

The Dr Web CureIt is good for scanning for Virut, and will download easily to any other computer, so use that to scan the files after you have backed them up.

Make sure to check here after you have reformatted so you can get links to the best free AV's and protection for the computer.

#11
DrLucky

Posted 25 July 2009 - 06:48 PM

Member

Topic Starter
Member
22 posts

How do I save the shortcuts as a document? I know I could copy the web pages one by one to a file, but they have 100s of them...

also, Flash_Disinfector.exe didn't work on my computer, I am running Windows XP Pro 64 bit.
Anything else I could try?

thanks

#12
RatHat

Posted 26 July 2009 - 12:56 AM

Ex Malware Expert

Expert
7,829 posts

Which browser are you using, which has all the bookmarks that you want to save?

#13
DrLucky

Posted 26 July 2009 - 02:35 PM

Member

Topic Starter
Member
22 posts

thanks, but I fond a program that converted them to text...

I have backedup all the important files, scanned them with DrWeb Cure It and then formated the drive of the computer...
I have reinstalled Windows and am adding all the safe files back.
Thanks for all the help, you can close this thread!

Kris

#14
RatHat

Posted 26 July 2009 - 03:06 PM

Ex Malware Expert

Expert
7,829 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.