Yet another nasty "Win32/heur" and "Win32:JunkPoly [Cryp]" infection

[stupidwin32]

I'm on a 5-weeks old Dell Vostro 2510 running XP.  Yes, only 5 weeks old.  Ugh.  MS Windows XP Professional SP3, Intel Core2 Duo CPU T5670 @ 1.80GHz, 3.0GB RAM.  I'm doing a boot scan and so far it's found 13 infections, the first being by "Win32:Virtumonde-SP [Adw]" and the other 12 being "Win32:JunkPoly [Cryp]".  Now I've gotten down to near the end of the scan and it's telling me:

"File C:\WINDOWS\$hf_mig$\KB951978\SP3QFE\wscript.exe is infected by Win32:JunkPoly [Cryp]".

When I tried to move it to the chest, it said "File is in Windows folder, are you sure?"

Should I say yes or no?  Since it's an .exe in the Windows folder, I'm concerned that moving (or deleting) it may cause further undesirable damage.  So if someone could tell me whether to move this file or not, I'll then be on my way and can get some log results posted ASAP, as well as the other circumstances surrounding this nasty infection I got earlier today.

UPDATE: I went ahead and moved everything infected in the WINDOWS folder to the chest.  So far, so good.  Can still move around in Safe Mode with no problem and still just getting the blue screen if I try to boot into XP normally.  However, one of 40 infected files that showed up was NOTEPAD.EXE, infected by Win32:JunkPoly [Cryp] (in fact, 32 of the 40 infected files were infected by JunkPoly.  Nasty little bugger).  I told it to ignore it since I read in an older post here that NOTEPAD.EXE will trigger a false-positive.  Is anyone sure about that?  Obviously I don't want to post .txt logs as attachments on the board here if my Notepad itself is infected.

[oldman]

Test these 2 files at virustotal  http://www.virustotal.com/

C:\windows\notepad.exe
c:\windows\system32\notepad.exe

Just copy and paste the filepaths into the Upload a file box, click send file. Wait for the results then submit the other one. What do you get?

If it says file has been all ready analysed, click reanalyse

[stupidwin32]

Both C:\windows\notepad.exe and c:\windows\system32\notepad.exe revealed...
File notepad.exe received on 02.22.2009 15:52:32 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 23/39 (58.98%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:    
   
Antivirus        Version           Last Update        Result
a-squared       4.0.0.93          2009.02.22               Virus.Win32.Hupigon.MAP!IK
AhnLab-V3       2009.2.21.0   2009.02.22               Win32/Virut.F
AntiVir       7.9.0.87          2009.02.21               W32/Virut.Gen
Authentium       5.1.0.4          2009.02.22               W32/Virut.AI!Generic
Avast               4.8.1335.0     2009.02.22               Win32:Vitro
AVG               8.0.0.237       2009.02.21               -
BitDefender       7.2           2009.02.22               -
CAT-QuickHeal 10.00           2009.02.22               -
ClamAV        0.94.1           2009.02.22               -
Comodo        983           2009.02.20               -
DrWeb        4.44.0.09170   2009.02.22               Win32.Virut.56
eSafe             7.0.17.0    2009.02.19               -
eTrust-Vet        31.6.6368   2009.02.20               Win32/Virut.17408
F-Prot        4.4.4.56   2009.02.22               W32/Patched.E.gen!Eldorado
F-Secure        8.0.14470.0   2009.02.22               Virus.Win32.Virut.ce
Fortinet        3.117.0.0   2009.02.22               -
GData        19           2009.02.22               Win32:Vitro
Ikarus        T3.1.1.45.0   2009.02.22               Virus.Win32.Hupigon.MAP
K7AntiVirus        7.10.639   2009.02.21               -
Kaspersky        7.0.0.125   2009.02.22               Virus.Win32.Virut.ce
McAfee        5532           2009.02.21               W32/Virut.n.gen
McAfee+Artemis 5532           2009.02.21               W32/Virut.n.gen
Microsoft        1.4306           2009.02.22               Virus:Win32/Virut.BM
NOD32        3877           2009.02.22               Win32/Virut.NBK
Norman        6.00.06           2009.02.20               -
nProtect        2009.1.8.0   2009.02.22               -
Panda        10.0.0.10   2009.02.22               W32/Sality.AO
PCTools        4.4.2.0           2009.02.22               -
Prevx1        V2           2009.02.22             -
Rising                21.17.62.00   2009.02.22               -
SecureWeb-Gateway 6.7.6   2009.02.22               Win32.Virut.Gen
Sophos        4.39.0           2009.02.22               W32/Scribble-A
Sunbelt        3.2.1855.2   2009.02.17               Win32.Virut.cf (v)
Symantec        10           2009.02.22               W32.Virut.CF
TheHacker        6.3.2.4.263   2009.02.21               -
TrendMicro        8.700.0.1004   2009.02.20               PE_VIRUX.D
VBA32        3.12.10.0   2009.02.22               Virus.Win32.Virut.X5
ViRobot        2009.2.20.1617  2009.02.20       -
VirusBuster        4.5.11.0   2009.02.21               -
Additional information
File size: 86528 bytes
MD5...: 7350ac74c26ab6413a5f3e6667cf0740
SHA1..: fc49adaf1d1a7744bdd5f2d4c7341543ededcc34
SHA256: 500eb85d0b4f3e716ad5538b7f10fee256ee2c38ed9baa0cf7476c695aa7b0df
SHA512: bebcd2ef28ef8b9b40f68b8c4d34fc107098e282149ee233aa19782bd4312a87
27abd65da9a6bf2fb004b257d16fd018b561c00791f639e42e1d8c37131b30af
ssdeep: 1536:dwOnbNQKLjWDyy1o5I0foMJUEbooPRrKKReFX3B5QL7+z7BW:XNQKPWDyDI
0fFJltZrpReFX3BA+W
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1013ccd
timedatestamp.....: 0x48025287 (Sun Apr 13 18:35:51 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x7748 0x7800 6.28 debcf7299d2aac29b3bca84abd1d18dd
.data 0x9000 0x1ba8 0x800 1.15 3fd82fcc3cf0c0692e0e466248ee3fbf
.rsrc 0xb000 0xda00 0xce00 6.46 ff9c61a64c9532ca0b7d1cefeaeff939

( 9 imports )
> comdlg32.dll: PageSetupDlgW, FindTextW, PrintDlgExW, ChooseFontW, GetFileTitleW, GetOpenFileNameW, ReplaceTextW, CommDlgExtendedError, GetSaveFileNameW
> SHELL32.dll: DragFinish, DragQueryFileW, DragAcceptFiles, ShellAboutW
> WINSPOOL.DRV: GetPrinterDriverW, ClosePrinter, OpenPrinterW
> COMCTL32.dll: CreateStatusWindowW
> msvcrt.dll: _XcptFilter, _exit, _c_exit, time, localtime, _cexit, iswctype, _except_handler3, _wtol, wcsncmp, _snwprintf, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp, wcsncpy
> ADVAPI32.dll: RegQueryValueExW, RegCloseKey, RegCreateKeyW, IsTextUnicode, RegQueryValueExA, RegOpenKeyExA, RegSetValueExW
> KERNEL32.dll: GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetLocalTime, GetUserDefaultLCID, GetDateFormatW, GetTimeFormatW, GlobalLock, GlobalUnlock, GetFileInformationByHandle, CreateFileMappingW, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, LoadLibraryA, GetModuleHandleA, GetStartupInfoA, GlobalFree, GetLocaleInfoW, LocalFree, LocalAlloc, lstrlenW, LocalUnlock, CompareStringW, LocalLock, FoldStringW, CloseHandle, lstrcpyW, ReadFile, CreateFileW, lstrcmpiW, GetCurrentProcessId, GetProcAddress, GetCommandLineW, lstrcatW, FindClose, FindFirstFileW, GetFileAttributesW, lstrcmpW, MulDiv, lstrcpynW, LocalSize, GetLastError, WriteFile, SetLastError, WideCharToMultiByte, LocalReAlloc, FormatMessageW, GetUserDefaultUILanguage, SetEndOfFile, DeleteFileW, GetACP, UnmapViewOfFile, MultiByteToWideChar, MapViewOfFile, UnhandledExceptionFilter
> GDI32.dll: EndPage, AbortDoc, EndDoc, DeleteDC, StartPage, GetTextExtentPoint32W, CreateDCW, SetAbortProc, GetTextFaceW, TextOutW, StartDocW, EnumFontsW, GetStockObject, GetObjectW, GetDeviceCaps, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SetBkMode, LPtoDP, SetWindowExtEx, SetViewportExtEx, SetMapMode, SelectObject
> USER32.dll: GetClientRect, SetCursor, ReleaseDC, GetDC, DialogBoxParamW, SetActiveWindow, GetKeyboardLayout, DefWindowProcW, DestroyWindow, MessageBeep, ShowWindow, GetForegroundWindow, IsIconic, GetWindowPlacement, CharUpperW, LoadStringW, LoadAcceleratorsW, GetSystemMenu, RegisterClassExW, LoadImageW, LoadCursorW, SetWindowPlacement, CreateWindowExW, GetDesktopWindow, GetFocus, LoadIconW, SetWindowTextW, PostQuitMessage, RegisterWindowMessageW, UpdateWindow, SetScrollPos, CharLowerW, PeekMessageW, EnableWindow, DrawTextExW, CreateDialogParamW, GetWindowTextW, GetSystemMetrics, MoveWindow, InvalidateRect, WinHelpW, GetDlgCtrlID, ChildWindowFromPoint, ScreenToClient, GetCursorPos, SendDlgItemMessageW, SendMessageW, CharNextW, CheckMenuItem, CloseClipboard, IsClipboardFormatAvailable, OpenClipboard, GetMenuState, EnableMenuItem, GetSubMenu, GetMenu, MessageBoxW, SetWindowLongW, GetWindowLongW, GetDlgItem, SetFocus, SetDlgItemTextW, wsprintfW, GetDlgItemTextW, EndDialog, GetParent, UnhookWinEvent, DispatchMessageW, TranslateMessage, TranslateAcceleratorW, IsDialogMessageW, PostMessageW, GetMessageW, SetWinEventHook

( 0 exports )

[polonus]

Hi stupidwin32,

In a very early stage you could try for a repair as described here: http://forum.avast.com/index.php?topic=42709.msg357927#msg357927 (see all hidden files are being shown, etc. - In the case of scanning with DrWebCureIt from a pen drive make sure the autorun.inf file on the USB-stick is set to hidden -read only - and make sure this USB stick has been loaded from a non-infected PC).
But in the case this nasty file infector has corrupted too much, it can reinfect at any time, and because the damage is corrupted and beyond repair for the random and sloppy way it infects inside particular files, the only option open is the FFR solution: fdisk - format & re-install.

I haven't a clue what the tactics is behind this malware from the viewpoint of the malcreants could be, they leave the system so infected it is virtually beyond repair, it is not fit for spreading spyware, adware, and using it as a zombie anymore, it must be sheer aggressive stupidity on their part. The only comfort in all this is you are not alone.
Take measures not to get re-infected that is, go online with less rights (only use full admin rights for updates, patches, and checked downloads), have a software firewall installed and operate that, have your third party software checked for all updates and patches through a program like Secunia PSI,
use a browser like Firefox with NoScript extension installed and active to prevent scripts wreak havoc onto your computer, and do not go looking for keygens, torrents, or other illegal downloads,

polonus

[stupidwin32]

Thanks for the response, polonus.  Those scans were actually the first I'd seen of Virut and Vitro in my PC.  All it had been was a lot of Win32:JunkPoly and a few trojans.  And actually, this all started as AVG picking up "Win32\heur" and it's gotten bigger/worse from there.

Just for your review, here's what a boot scan turned up late last night.  And sorry for not putting this in a txt attachment, but again I don't want to risk spreading anything if my Notepad is infected:

02/21/2009 22:52
Scan of all local drives

File C:\Documents and Settings\(My Name)\Local Settings\Temporary Internet Files\Content.IE5\04UFSY2H\doc[1].txt is infected by Win32:Virtumonde-SP [Adw], Moved to chest
File C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\AutoGK\tools\normalize.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\AutoGK\VDubMod\VirtualDubMod.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\Dell\Printer Software\lexprtsu.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\Java\jre1.6.0_07\bin\javacpl.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\Java\jre1.6.0_07\bin\ktab.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\Java\jre1.6.0_07\bin\rmid.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\K-Lite Codec Pack\Real\settings.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\K-Lite Codec Pack\Tools\dsconfig.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\Windows Media Connect 2\wmccds.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\Program Files\Windows Media Player\wmpnetwk.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\$hf_mig$\KB951978\SP3QFE\wscript.exe is infected by Win32:JunkPoly [Cryp], Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Repair: Error 42060 {The file was not repaired.}, Delete: Error 0xC0000034 {Object Name not found.}
File C:\WINDOWS\ie7\spuninst\ieResetIcons.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CasPol.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\NOTEPAD.EXE is infected by Win32:JunkPoly [Cryp]
File C:\WINDOWS\SoftwareDistribution\Download\21b9c2f7b1db683e3d83bfb825d32092\SP2QFE\ie4uinit.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\system32\A.tmp is infected by Win32:Virtumonde-SP [Adw], Moved to chest
File C:\WINDOWS\system32\codeblocks.exe\[UPX] is infected by Win32:Lmir-BK [trj], Moved to chest
File C:\WINDOWS\system32\dfrgfat.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\system32\drivers\protect.sys is infected by Win32:Trojan-gen {Other}, Moved to chest
File C:\WINDOWS\system32\esentutl.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\system32\eventcreate.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\system32\fsquirt.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\system32\grpconv.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\system32\help.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\system32\pdbcopy.exe\[UPX] is infected by Win32:Lmir-BK [trj], Moved to chest
File C:\WINDOWS\system32\ping.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\system32\proquota.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\system32\regsvr32.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\system32\tcmsetup.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\system32\uwdf.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\system32\vcredist_x86.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\system32\verclsid.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\system32\wbem\wmiadap.exe is infected by Win32:JunkPoly [Cryp], Moved to chest
File C:\WINDOWS\system32\windres.exe\[UPX] is infected by Win32:Lmir-BK [trj], Moved to chest
File C:\WINDOWS\Temp\BN3.tmp is infected by Win32:Trojan-gen {Other}, Moved to chest
File C:\WINDOWS\Temp\init.exe is infected by Win32:Virtumonde-TW [Adw], Moved to chest
Number of searched folders: 5482
Number of tested files: 63876
Number of infected files: 40

Another tech forum had some suggestions how to do a cleaning process and get together logs of reports.  One of the programs suggested is Malwarebyte's Anti-Malware, but I can't even get it to install correctly because I'm getting 2 run-time errors.  Tried renaming the .exe file as someone suggested, but that didn't help install either.  So apparently I can't run that program.

I'm going to try the DrWebCureIt suggestion to see if that does anything at all for me, but I think I'm slowly starting to accept I'm probably looking at a format ahead.  I'll post the result of the DrWebCureIt scan when (and if) it finishes.

[stupidwin32]

polonus, in your instructions in the other post on how to set up the "Actions" settings for CureIt, there is no "Replace" option to select for "Adware", "Dialers", and "Hacktools".  The available options are "Report", "Delete", "Rename", "Move", and "Ignore".  Which do I choose?

[polonus]

Hi stupidwin32,

Good question, the equivalent is "move",
make sure additional scannings should be in safemode, because in safemode the virus is NOT active, according to this information:
The infected machines need to be isolated and then scanned after reboot, preferably in “Safe Mode,”
in order to remove the infected files.
Scanning in safe mode allows us to repair files that may be in use (for example, system files).
Additionally, the virus will not load in safe mode. Non-repairable files may need to be restored from backup.
Remove network shares, or make them read only at a minimum so that the virus can’t spread to them.
As a last resort, highly compromised machines may need to be reimaged,

polonus

[stupidwin32]

Thanks polonus.

Yeah, all the scans are running in safe mode because that's all I can boot to.  If I try to boot to XP normally, I get the blue screen that starts off saying, "A problem has been detected and Windows has been shut down to prevent damage to your computer", etc. etc.

Looking at the scan results so far from CureIt and the boot scan and avast!, it looks like practically everything infected is an .exe file.  If at all possible, I'd really like to back up my other info I have on my hard drive to DVD data discs before reformatting so I don't lose it (I don't have an external hard drive or anything like that that I could copy the files over).  I have Roxio CD/DVD burning software but I can't access the drivers for it in safe mode.  Any ideas how I can access it or back up my other info to disc considering my current situation?  Maybe uploading the files I need backed up to an online filehoster so I can download them on the computer after it's formatted (nothing I'd be backing up would be .exe files so I'm hoping I'd be okay and wouldn't just be moving the viruses to the clean computer)?

[polonus]

Hi stupidwin32,

If you think you have cleansed all the files the file-infector had a shot at in safe mode with full scans, you could approach it from a pen-drive that has been disinfected with the autorun disinfector from here:
http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe
Leave the file this leaves on your USB-stick there and set the properties to hidden and read-only,
load the files you wanna save there and scan these thoroughly with DrWeb's CureIt in the proposed settings and again after you started up in SafeMode, so you have various scanning routines following each other up, but better safe then sorry, because the file infector can raise from the dead almost in any infected executable and then we are right back where we started,

polonus

[stupidwin32]

Hi polonus,

I decided just to go ahead and format and not run the risk of spreading its problems to when it's been cleaned up.  Hopefully that'll clear the problem up.  Like I said before, the computer's only 5 weeks old so it wasn't like I lost too much info.

This was a nasty, nasty virus, whether it was Win32\heur, Win32:JunkPoly, Win32:Virut, Win32:Vitro, Virtumonde, or all of them put together since it seems like they were all having a party in there.  My sympathies to whoever else gets them in the future.  Thanks for all the advise and suggestions as to how to fight back.

A last question before I go:  what all programs do you recommend I use to try to prevent this from happening in the future?  I've been using Firefox for awhile now but have never used the NoScript add-on, which I will do henceforth.  I had AVG Free 8.0 running with daily updates.  Windows Firewall was on.  I know you mentioned torrents and keygen as things to avoid.  I don't do torrents and have no idea what keygen means.  On my old Dell laptop, all I ran was Spybot, Adaware, and Windows Defender and never had any problems for 4 and a half years.

Thanks again for all the assistance.

P.S.  So far so good with the reinstall.  Putting all the drivers back on at the moment.  By the way, is it necessary to delete both the NTFS and the FAT partitions when reinstalling?  I only did the NTFS but figured it's all that was needed.

[polonus]

Hi stupidwin32,

Well after a reformat, update and upgrade and patch your Windows PC fully, and keep doing that to be protected against new exploits used by malcreants. Make sure you have the latest third party software on your computer checked through Secunia PSI, download here: http://secunia.com/PSISetup.exe
On your computer you have one resident av solution, avast is a good solution and has a very good webshield protection.
To limit damage from malware to your OS by 92% of known malware, use normal user rights while doing your normal online activities, only use full admin rights for downloading secure software, your MS downloads and patches, your third party software upgrades and patches,
Use an alternate browser like Firefox or Flock with the NoScript extension installed, so you can have that activated when browsing unknown or not fully trusted sites. It has not been compromised yet, NoScript that is.
For additional scanning every fortnight download the free versions of MBAM and SAS, they are good anti-spyware solutions, http://www.malwarebytes.org/mbam.php  &
http://www.superantispyware.com/superantispywarefreevspro.html
Install spywareblaster from here: http://www.javacoolsoftware.com/sbdownload.html  for passive protection,
Then use a software FW, and you have the right attitude not to get infected further,
This is the best advice I can give you after all these years of being here and experience with online security,

Yours faithfully,

polonus

[oldman]

Hi stupidwin32,

Good choice. I saw one with similar symptoms as yours. Safe mode only. An online scan showed 2000 infected files. There's a thread on this forum somewhere where there has been some success cleaning this, but it's believed it can't be acomplished on a forum yet.

Sometimes it's better to cut your loses. Essexboy spent over a week cleaning a sality infection.