Avast WEBforum
Other => Viruses and worms => Topic started by: JoeMcLaughlin on October 25, 2009, 09:49:30 PM
-
I have a virus on a desktop. Thanks to free on-line games and children that do not know any better for this virus. A friend suggested Avast so I am giving it a try. So far Avast is not doing very well to kill the virus I have. Avast finds it and I tell it to delete but it comes back after every re-boot. I am about 2 seconds away from nuking the hard drive and re-installing the POS Microsft operating system but I thought I would throw a post up in the forum first. to see if there is any hope.
Joe......
-
See if this will help
http://www.digitalred.com/avast-boot-time.php
-
Hi JoeMcLaughlin,
Try this removal tool: http://www.virusexperts.org/wp-content/uploads/2009/09/Magania.bzmw_Trojan_Removal_virusexperts.org_.zip
polonus
-
See if this will help
http://www.digitalred.com/avast-boot-time.php
I tried that. It looks like it works but when it finds the virus and gives me an option to delete, the PC locks up and will not respond.
Joe.......
-
Hi JoeMcLaughlin,
Try this removal tool: http://www.virusexperts.org/wp-content/uploads/2009/09/Magania.bzmw_Trojan_Removal_virusexperts.org_.zip
polonus
Downloaded, unzipped and ran both. Re-booting now to see how it worked;)
Joe.......
-
Hi JoeMcLaughlin,
Try this removal tool: http://www.virusexperts.org/wp-content/uploads/2009/09/Magania.bzmw_Trojan_Removal_virusexperts.org_.zip
polonus
Downloaded, unzipped and ran both. Re-booting now to see how it worked;)
Joe.......
Avast popped up a warning after the re-boot, it is still there.
Joe.......
-
Hi JoeMcLaughlin,
Someone will dive into your problem soon and propose a malware removal scheme,
polonus
-
Hi lets see what you have first
To ensure that I get all the information this log will need to be uploaded to Mediafire (http://www.mediafire.com/) and post the sharing link.
Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop
- Close ALL OTHER PROGRAMS.
- Double-click on OTS.exe to start the program.
- Check the box that says Scan All Users
- Check the box that says 64 bit
- Under Additional Scans check the following:
- Reg - Shell Spawning
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
- Under custom scans copy and paste the following
- %systemroot%\*. /s /r
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
-
Got it downloaded and just about ready to run. I do not see a 64 bit option.
Joe.......
-
That wiill only appear if you have a 64 bit system
-
Done: http://www.tripleateam.com/dirt/d/85555-1/OTS.Txt
Let me know if that format is right? I still have it open ands can change easily.
Joe........
-
also, uploaded to mediashare:
http://www.mediafire.com/?sharekey=fb5dee297b0bfd3a1f8e0fff488e27e0e04e75f6e8ebb871
-
Did you install a key logger on your system ?
Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls]
[Processes - Safe List]
YY -> restorer64_a.exe -> C:\WINDOWS\System32\restorer64_a.exe
[Modules - Safe List]
YY -> ijejaxakuqejako.dll -> C:\WINDOWS\ijejaxakuqejako.dll
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {3b6e57bf-f6b9-4bc9-948b-c7ae92c29edd} [HKLM] -> C:\WINDOWS\System32\c_1ext.dll [Reg Error: Value error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Jdiqohovojamaze" -> C:\WINDOWS\ijejaxakuqejako.DLL [rundll32.exe "C:\WINDOWS\ijejaxakuqejako.dll",Startup]
YY -> "restorer64_a" -> C:\WINDOWS\System32\restorer64_a.exe [C:\WINDOWS\system32\restorer64_a.exe]
[Registry - Additional Scans - Safe List]
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command
YN -> regfile [merge] -> Reg Error: Key error.
YN -> txtfile [edit] -> Reg Error: Key error.
[Files/Folders - Created Within 30 Days]
NY -> AntivirusPro_2010 -> C:\AntivirusPro_2010
NY -> AntivirusPro_2010 -> C:\Program Files\AntivirusPro_2010
NY -> rundll22.exe -> C:\WINDOWS\rundll22.exe
[Files/Folders - Modified Within 30 Days]
NY -> oashdihasidhasuidhiasdhiashdiuasdhasd -> C:\Documents and Settings\Owner\oashdihasidhasuidhiasdhiashdiuasdhasd
NY -> Ojicomucetuhese.dat -> C:\WINDOWS\Ojicomucetuhese.dat
NY -> Ogazisohahoze.bin -> C:\WINDOWS\Ogazisohahoze.bin
NY -> umysilyz._dl -> C:\Program Files\Common Files\umysilyz._dl
NY -> ehaho._sy -> C:\WINDOWS\System32\ehaho._sy
NY -> opevykoq.db -> C:\Program Files\Common Files\opevykoq.db
NY -> idepaxi.vbs -> C:\WINDOWS\System32\idepaxi.vbs
NY -> ojyxul.dll -> C:\Program Files\Common Files\ojyxul.dll
NY -> ebilyq.scr -> C:\WINDOWS\ebilyq.scr
NY -> nyhuby.inf -> C:\Program Files\Common Files\nyhuby.inf
NY -> ocagovugyj.com -> C:\Documents and Settings\All Users\Application Data\ocagovugyj.com
NY -> ajiqadab.com -> C:\Documents and Settings\All Users\Application Data\ajiqadab.com
NY -> nuhugutyr.vbs -> C:\Program Files\Common Files\nuhugutyr.vbs
NY -> quhepahor.lib -> C:\WINDOWS\System32\quhepahor.lib
NY -> isabik.reg -> C:\Program Files\Common Files\isabik.reg
NY -> wapypum.com -> C:\WINDOWS\System32\wapypum.com
NY -> caxum.pif -> C:\Documents and Settings\All Users\Documents\caxum.pif
NY -> jupikuzavi.reg -> C:\WINDOWS\jupikuzavi.reg
NY -> xudipopiwo.bin -> C:\Documents and Settings\All Users\Application Data\xudipopiwo.bin
NY -> ugupako.bat -> C:\WINDOWS\ugupako.bat
NY -> meqybeno._dl -> C:\Program Files\Common Files\meqybeno._dl
NY -> edydanene.reg -> C:\Program Files\Common Files\edydanene.reg
NY -> hygipato.vbs -> C:\WINDOWS\hygipato.vbs
NY -> wirulekoga.reg -> C:\WINDOWS\wirulekoga.reg
NY -> mubegyp.lib -> C:\WINDOWS\System32\mubegyp.lib
NY -> aryzery.exe -> C:\Program Files\Common Files\aryzery.exe
NY -> jalyviku.sys -> C:\WINDOWS\System32\jalyviku.sys
NY -> qykady.com -> C:\WINDOWS\System32\qykady.com
NY -> apuzu.scr -> C:\Program Files\Common Files\apuzu.scr
NY -> fuzove.sys -> C:\Documents and Settings\All Users\Application Data\fuzove.sys
NY -> ruleqen.bat -> C:\WINDOWS\System32\ruleqen.bat
NY -> unumut.sys -> C:\WINDOWS\unumut.sys
NY -> yfepucolaf.dl -> C:\Program Files\Common Files\yfepucolaf.dl
NY -> ohasyfyr.ban -> C:\Documents and Settings\All Users\Application Data\ohasyfyr.ban
NY -> inojo.vbs -> C:\WINDOWS\System32\inojo.vbs
NY -> ewavoliz.pif -> C:\Documents and Settings\All Users\Application Data\ewavoliz.pif
NY -> wefehijyq.dll -> C:\WINDOWS\wefehijyq.dll
NY -> jugimotopi.inf -> C:\WINDOWS\jugimotopi.inf
NY -> uqudyxa.scr -> C:\WINDOWS\System32\uqudyxa.scr
NY -> ujehisum.bin -> C:\Documents and Settings\All Users\Application Data\ujehisum.bin
NY -> yvujihaqej.bat -> C:\Documents and Settings\All Users\Application Data\yvujihaqej.bat
NY -> restorer64_a.exe -> C:\WINDOWS\System32\restorer64_a.exe
NY -> rundll22.exe -> C:\WINDOWS\rundll22.exe
NY -> vpg_bcsb.ini -> C:\WINDOWS\vpg_bcsb.ini
[Files - No Company Name]
NY -> oashdihasidhasuidhiasdhiashdiuasdhasd -> C:\Documents and Settings\Owner\oashdihasidhasuidhiasdhiashdiuasdhasd
NY -> umysilyz._dl -> C:\Program Files\Common Files\umysilyz._dl
NY -> opevykoq.db -> C:\Program Files\Common Files\opevykoq.db
NY -> idepaxi.vbs -> C:\WINDOWS\System32\idepaxi.vbs
NY -> ojyxul.dll -> C:\Program Files\Common Files\ojyxul.dll
NY -> ebilyq.scr -> C:\WINDOWS\ebilyq.scr
NY -> nyhuby.inf -> C:\Program Files\Common Files\nyhuby.inf
NY -> ocagovugyj.com -> C:\Documents and Settings\All Users\Application Data\ocagovugyj.com
NY -> ajiqadab.com -> C:\Documents and Settings\All Users\Application Data\ajiqadab.com
NY -> nuhugutyr.vbs -> C:\Program Files\Common Files\nuhugutyr.vbs
NY -> quhepahor.lib -> C:\WINDOWS\System32\quhepahor.lib
NY -> isabik.reg -> C:\Program Files\Common Files\isabik.reg
NY -> wapypum.com -> C:\WINDOWS\System32\wapypum.com
NY -> caxum.pif -> C:\Documents and Settings\All Users\Documents\caxum.pif
NY -> ehaho._sy -> C:\WINDOWS\System32\ehaho._sy
NY -> xudipopiwo.bin -> C:\Documents and Settings\All Users\Application Data\xudipopiwo.bin
NY -> ugupako.bat -> C:\WINDOWS\ugupako.bat
NY -> meqybeno._dl -> C:\Program Files\Common Files\meqybeno._dl
NY -> edydanene.reg -> C:\Program Files\Common Files\edydanene.reg
NY -> jupikuzavi.reg -> C:\WINDOWS\jupikuzavi.reg
NY -> hygipato.vbs -> C:\WINDOWS\hygipato.vbs
NY -> wirulekoga.reg -> C:\WINDOWS\wirulekoga.reg
NY -> Security Tool.lnk -> C:\Documents and Settings\Owner\Desktop\Security Tool.lnk
NY -> mubegyp.lib -> C:\WINDOWS\System32\mubegyp.lib
NY -> jalyviku.sys -> C:\WINDOWS\System32\jalyviku.sys
NY -> qykady.com -> C:\WINDOWS\System32\qykady.com
NY -> apuzu.scr -> C:\Program Files\Common Files\apuzu.scr
NY -> fuzove.sys -> C:\Documents and Settings\All Users\Application Data\fuzove.sys
NY -> ruleqen.bat -> C:\WINDOWS\System32\ruleqen.bat
NY -> unumut.sys -> C:\WINDOWS\unumut.sys
NY -> yfepucolaf.dl -> C:\Program Files\Common Files\yfepucolaf.dl
NY -> ohasyfyr.ban -> C:\Documents and Settings\All Users\Application Data\ohasyfyr.ban
NY -> inojo.vbs -> C:\WINDOWS\System32\inojo.vbs
NY -> ewavoliz.pif -> C:\Documents and Settings\All Users\Application Data\ewavoliz.pif
NY -> wefehijyq.dll -> C:\WINDOWS\wefehijyq.dll
NY -> jugimotopi.inf -> C:\WINDOWS\jugimotopi.inf
NY -> aryzery.exe -> C:\Program Files\Common Files\aryzery.exe
NY -> uqudyxa.scr -> C:\WINDOWS\System32\uqudyxa.scr
NY -> ujehisum.bin -> C:\Documents and Settings\All Users\Application Data\ujehisum.bin
NY -> yvujihaqej.bat -> C:\Documents and Settings\All Users\Application Data\yvujihaqej.bat
NY -> Ogazisohahoze.bin -> C:\WINDOWS\Ogazisohahoze.bin
NY -> Ojicomucetuhese.dat -> C:\WINDOWS\Ojicomucetuhese.dat
NY -> restorer64_a.exe -> C:\WINDOWS\System32\restorer64_a.exe
NY -> vpg_bcsb.ini -> C:\WINDOWS\vpg_bcsb.ini
NY -> ijejaxakuqejako.dll -> C:\WINDOWS\ijejaxakuqejako.dll
[File - Lop Check]
NY -> 79964237 -> C:\Documents and Settings\All Users\Application Data\79964237
NY -> FunWebProducts -> C:\Documents and Settings\Edie\Application Data\FunWebProducts
[Empty Temp Folders]
The fix should only take a very short time during this you will lose your taskbar and it will ask for a reboot. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.
I will review the information when it comes back in.
THEN
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php).
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
-
I never use this PC, it is a general PC that the family uses. You know myspace, gaming etc. My wife is a little irritated because she uses this PC t do her college work on;) Executing your fix now.
Joe.........
-
OTS has been parsing registry list for a long time now, it looks like it is hung up?
Joe.......
-
Close it down and run malwarebytes - then on completion re-run a scan only with OTS
-
Still parsing registry list I think it is safe to assume it is hung up?
Joe.........
-
Aye sounds like it has - unusual but sometimes that happens
Stop OTS and continue with MBAM please, also what problems are you gettin now
-
Running MBAM now. So far 24K files scanned and 30 are infected. This will take a while I have 250K image files on the hard drive;) So far the virus has not been a major pain like I have seen some. Things still run. Firefox was having issues but I simply uninstalled it, using IE now. I'm sticking with it to kill this bug or mutiple but there comes a point when it is easier to do a format and start over.
Joe.......
-
The choice at the end of the day is yours but I feel you are not far from killing it now. I will be offline soon as it is near midnight here
I will look in again tomorrow
-
Thanks for the help;) MBAM is still running 33 files infected. While it is running I hae alt plan B going;) All my pictures and any critical files are being backed up to an external USB drive so if it comes to it I will launch the nukes at the hard drive and install all over. Might be a good time to set up for a dual boot hard drive and run Linux.
Joe......
-
Done
-
Have you succeeded in removing it Joey? I have just come across mal0b-z on what is a generally well kept computer. This thing well not go away! I have already run Malwaerbytes, Spybot as well as having Avast newly installed to replace AVG. This thing is nasty! I am presently trying Trend online -- Panda online isn't working for some reason.
-
At the moment it looks like this thing may be gone. MBAM just completed a scann and found nothing. I did do a couple other things that may or may not be related. I found antivuruspro2010 installed as a program and removed it with add and remove software. also, I did a search on the hard drive for all files and folder containing virus and found this file: ANTIVIRUSPRO_2010.EXE-1AFD7E6B.pf in c:windows/prefetch Found AntivirusPro_2010 shortcut in c:\windows\system32\config\systemprofile\Desktop renamed both files and deleted. I still need to do a coupel more scans but so far so good. To speed things up a bit I have moved all the pictures, video, docs etc to an external hard drive.
Joe.......
-
Well I posted too soon. Avast has found more
Win32:Cutwail [Trj]
Win32:Malware-gen
and it is still scanning :o
Joe.......
-
win32 cutwail with various variants : Symptoms of Win32/Cutwail infection:
Slow computer speed, slow starups and reboots, strange running system processes
Slow surfing speed and obstructed transfer rate
Porn advertisements popups appear even with pop up blockers
Hijacked and altered browser homepage settings
Win32/Cutwail patch up, re-activate and update its files
Windows bleep error sound at shutdown
Data loss and "blue screen of death"
Incapability to modify your desktop wallpaper
Win32/Cutwail Activities:
Tracks surfing habits to generate equivalent pop up advertisements
Download and install third party software and trojans through security loopholes
Cutwail can bypass security programs by hide itself as genuine windows program
Sends keystrokes and username information to hackers
Records windows actions and values in the system registry
Removal in SafeMode: http://forums.majorgeeks.com/showthread.php?t=115579
Cutwail manual removal:
Step 1 : Use Windows Task Manager to Remove Cutwail Processes
Remove the "Cutwail" processes files:
Kill processes:
outpuk24[1].exe 943327918.exe
Remove the "Cutwail" processes files:
setupapi.dll
outpuk24[1].exe
Step 2 : Use Registry Editor to Remove Cutwail Registry Values
First make a back-up of your registry in case anything goes wrong...
Delete registry values:
HKEY_CLASSES_ROOT\clsid\{36b0a261-ea24-6be5-6027-7fc4035dd69b}
HKEY_CLASSES_ROOT\clsid\{7b5a24ee-1a07-53ab-eb60-eb908c88e935}
HKEY_CLASSES_ROOT\clsid\{51704c8a-007a-8362-32d7-c2ee36ce9214}
HKEY_CLASSES_ROOT\clsid\{97b59ad2-1228-70b8-ca0b-b7594efcbe07}
HKEY_CLASSES_ROOT\clsid\{f7405b81-92e2-ba64-ee73-933738d57403}
HKEY_CURRENT_USER\software\wget
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9b71d88c-c598-4935-c5d1-43aa4db90836}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\xvid
HKEY_LOCAL_MACHINE\software\wget
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_ndnet1
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_runtime
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_runtime2
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\ndnet1
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\runtime
HKEY_CURRENT_USER\software\dimaware
HKEY_LOCAL_MACHINE\software\dimaware
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{c4de5b15-4ffe-4c02-8cb3-cad24a33562b}
HKEY_LOCAL_MACHINE\system\currentcontrolset001\control\safeboot\minimal\ctl_w32.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset001\control\safeboot\network\ctl_w32.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset001\services\ctl_w32
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_ctl_w32
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, startkey=[%SYSTEM%]\setup.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, startkey=[%SYSTEM%]\winlog.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, startkey=[%WINDOWS%]\winnows.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run, startdrv=[%WINDOWS%]\Temp\startdrv.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run, startdrv=
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run, startdrv=[%WINDOWS%]\Temp\startdrv.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run, startdrv=
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, startkey=[%WINDOWS%]\winnows.exe
Step 3 : Use Windows Command Prompt to Unregister Cutwail DLL Files
Search and unregister "Cutwail" DLL files:
Unregister DLLs:
setupapi.dll
Step 4 : Detect and Delete Other Cutwail Files
Delete files:
outpuk24[1].exe setupapi.dll rs32net.ex1 943327918.exe
polonus
-
Ok Joe as it doesn't want to go we will bring in the heavy mob
Download Combofix from any of the links below. You must rename it before saving . Rename it to Gotcha before saving it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
==================================
(http://www.hdrcgb.org.uk/g2g/Cfix_Gotcha.exe.jpg)
Double click on the renamed ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt so we can continue cleaning the system.
-
Apologies for calling you Joe-Y. Confused you with an old Blue Jay reliever ;). Just to follow up in regards to the mal0b-z exploit I have been dealing with. After the above measures I've mentioned I ran Trend Online and it found no viruses although Avast alarmed otherwise. I then downloaded Avir and ran it along with Avast. After a reboot an Avir scan found 5 offending files and deleted them. Avast no longer gave warnings of a virus. A scan with Avir, then Avast and then malwarebytes and it's looking okay. Machine has been running clean for several hours now. Thanks guys.
-
Wow... after three clean scans and 4 hours it just popped up again!
-
I sent the two new items Avast found to the vault and ran it again. I've completed three full scans now without finding any more bad stuff. It looks OK but I should restart a few times. I did remove IE as much as Microsoft would allow me. Funny that it is removed yet I still have an IE icon and it even works without add ons. I removed Firefox and re-installed. To be honest as much as this was a pain it was a good thing. I cleaned up a bunch of junk on this PC.
Joe..........
-
Did you run combofix ?
-
Thanks hugely Essexboy! Combofix found a root kit. This explains the clean scans and then reappearances of this nasty little ****. I think I'm good now although I haven't been running the machine for long now. I can now boot into safemode which I wasn't able to before. System is snappier and no more warnings. Would combo fix have remedied the situation in your opinion?
"c:\documents and settings\Sean\Application Data\inst.exe
"Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p "
My only concern presently is that XP firewall shuts off momentarily after logging in but then again it's been doing that for well over a year now. Just an MS glitch? I think so. I think I'll check my router settings while I'm at it.
Thanks again.
-
Could you let me see the log please as Combofix sometimes misses the newer variants of files. Even though it is updated near daily