Respawning Virus File, ".exe" - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works

Respawning Virus File, ".exe"

#1 DSX

  • Group: Member
  • Posts: 3
  • Joined: 30-August 07

Posted 30 August 2007 - 11:07 AM

Hello everyone,

Recently my computer became infected with Vundo, and after trying various fixes, I ended up wiping and reinstalling Windows XP. After the reinstall, I had an upleasant surprise: something is definitely still lurking somewhere on my system.

My antivirus software is avast! Antivirus. Multiple times per day, I receive a warning that a file literally called ".exe" has spawned on my system and that it is a virus. Strangely, the virus also has a different name every time it appears. Here is my avast! warnings log:


23/08/2007 1:29:37 AM SYSTEM 1928 Sign of "Win32:Agent-FER [Trj]" has been found in "C:\WINDOWS\system32\.exe" file.
23/08/2007 11:39:34 AM SYSTEM 1928 Sign of "Win32:Allaple [Wrm]" has been found in "C:\WINDOWS\system32\.exe" file.
24/08/2007 5:21:50 PM SYSTEM 1944 Sign of "Win32:Virut-B" has been found in "C:\WINDOWS\system32\.exe" file.
25/08/2007 10:06:44 PM SYSTEM 1892 Sign of "Win32:Rbot-DQS [Trj]" has been found in "C:\WINDOWS\system32\.exe" file.
25/08/2007 10:06:57 PM SYSTEM 1892 Sign of "Win32:Rbot-DQS [Trj]" has been found in "C:\WINDOWS\system32\.exe" file.
25/08/2007 10:12:04 PM Owner 568 Sign of "Win32:Rbot-DQS [Trj]" has been found in "C:\WINDOWS\system32\.exe" file.
26/08/2007 12:26:28 PM SYSTEM 1892 Sign of "Win32:Allaple [Wrm]" has been found in "C:\WINDOWS\system32\.exe" file.
26/08/2007 3:53:40 PM SYSTEM 1892 Sign of "Win32:Allaple [Wrm]" has been found in "C:\WINDOWS\system32\.exe" file.
26/08/2007 9:22:11 PM SYSTEM 1904 Sign of "Win32:Rbot-DQS [Trj]" has been found in "C:\WINDOWS\system32\.exe" file.
27/08/2007 2:13:09 AM SYSTEM 108 Sign of "Win32:Allaple-IS [Wrm]" has been found in "C:\WINDOWS\system32\.exe" file.
27/08/2007 7:22:29 PM SYSTEM 1896 Sign of "Win32:Allaple [Wrm]" has been found in "C:\WINDOWS\system32\.exe" file.
28/08/2007 3:52:30 AM SYSTEM 1908 Sign of "Win32:Rbot-DQS [Trj]" has been found in "C:\WINDOWS\system32\.exe" file.
29/08/2007 12:08:35 AM SYSTEM 1912 Sign of "Win32:Virut-C" has been found in "C:\WINDOWS\system32\.exe" file.
30/08/2007 3:44:40 AM SYSTEM 1916 Sign of "Win32:Virut-C" has been found in "C:\WINDOWS\system32\.exe" file.

I have tried many of the suggestions on this site, using various antivirus programs, online scanners, and recommended tools, all of which have accomplished nothing. What is even more frustrating is that the virus has been undetected by everything, with the exception of avast! which catches it only when ".exe" appears.

Here is a HijackThis! log. It's quite brief because not much has been reinstalled on the system yet:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:08 AM, on 30/08/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

O1 - Hosts: 80.190.241.30 home.edonkey.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\delautocomp.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 3692 bytes


Also - I have two hard drives; my C: is where I have Windows XP installed and all of my programs. I also have an 80 GB hard drive (F:) for storing files. Is it possible that the infection is coming from F: (I did not wipe F: when I reinstalled XP)?

Any help on this would be greatly appreciated!

Thanks very much in advance!

#2 JSntgRvr

  • Group: Global Moderator
  • Posts: 9,530
  • Joined: 30-November 05

Posted 04 September 2007 - 05:42 PM

Hi, DSX :whistling:

Welcome.

Lets see if we can nuke that file:

Download the HostsXpert 3.8 - Hosts File Manager.
  • Unzip HostsXpert 3.8 - Hosts File Manager to a convenient folder such as C:\HostsXpert
  • Click HostsXpert.exe to Run HostsXpert 3.8 - Hosts File Manager from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Microsoft's Hosts file and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote

Files to delete:
C:\WINDOWS\system32\.exe


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log .

#3 Runscanner

  • Group: Retired Staff
  • Posts: 83
  • Joined: 15-July 07

Posted 05 September 2007 - 02:29 PM

Post removed. Only one staff member per thread.

#4 DSX

  • Group: Member
  • Posts: 3
  • Joined: 30-August 07

Posted 09 September 2007 - 09:28 AM

Thanks so much for your reply! And I apologize for the delay in my response (first week back at work from vacation; this is my first chance to actually sit down at my computer).

Okay! I followed your directions (they were excellent, btw), and here's Avenger's log:


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\niovlqpj

*******************

Script file located at: \??\C:\Documents and Settings\neshadbb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Finally, a fresh HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:00 AM, on 09/09/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\irdvxc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\delautocomp.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe

--
End of file - 3924 bytes


I hope that that pesky virus is eliminated!

~ DSX

#5 JSntgRvr

  • Group: Global Moderator
  • Posts: 9,530
  • Joined: 30-November 05

Posted 09 September 2007 - 11:45 AM

Quote

Hi, DSX :whistling:

There is a Trojan/Backdoor in your system

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote

Drivers to unload:
MSDisk

Files to delete:
C:\WINDOWS\System32\irdvxc.exe


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply.

Download ComboFix from Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.

  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply along with a Hijackthis log.

  • Click Close to exit the program.

#6 JSntgRvr

  • Group: Global Moderator
  • Posts: 9,530
  • Joined: 30-November 05

Posted 09 September 2007 - 12:02 PM

Hi, DSX :whistling:

I just have noticed that your system has not been validated. After each reformat, Windows must be validated. Else, you wont be able to get Windows updates and your system will be opened for infections.

Validate your copy of Windows:

http://www.microsoft...s/Validate.aspx

Download and install SP1a:

http://www.microsoft.com/windowsxp/downloa...p1/default.mspx

Without doing this you we will be wasting our time, as you will keep being infected.

You must use Internet Explorer to perform these actions.

#7 JSntgRvr

  • Group: Global Moderator
  • Posts: 9,530
  • Joined: 30-November 05

Posted 15 September 2007 - 11:30 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this topic:


Page 1 of 1