Quadruple replicating [seemingly] unstoppable attack

[opticalnoise]

Here is what's going on

I am getting constant reports from the on access scanner that I have infected temporary internet files, typically win(#).exe (where (#) is any number from 1-16) which I cannot delete or move to chest as they are 'in use', and I also get 'conime(#).exe' files in C:\ which I am able to delete or move. Recently the system has been finding .dll files which avast claims it "cannot process", and it doesn't find on a pre-boot scan.

*If* I use IE7 then the on access scanner is always stopping the download of various files, typically JPEG's called ad(#).jpg that always come from an IP address starting with 60.x.x.x/ad(#).jpg. Again, I can't delete this if they are on my machine as they are always 'in use'. I've noticed these files go into a folder for 'IE5' temporary internet files.

I've stopped using IE7 all together and have switched to firefox, but these files still keep showing up somehow. If I run a pre-boot scan, the system will find anywhere from 3-15 infected files from the following viruses: Nilage-JY, Delf-VM, ONLineGames-AD, and a forth one that is different each time. As soon as the scan is done and XP starts, the on access scanner immediately finds 10-15 new infections again all in the temporary internet files or in the root C directory. It's pretty obvious that even if this virus is stopped from re-downloading itself it is still replicating itself upon every single system boot - so how can I stop it from re-replicating?

[Maxx_original]

and what about some firewall? you should block all connections to (and from) the given IP at first

[opticalnoise]

Good point.

I have tried starting my computer, restarting and doing a preboot scan, and letting it start again all while completely disconnected from the internet and the virus is still replicating. Obviously it has installed some kind of software into IE as it always says that the webpage is trying to run a Microsoft Database access addon so that as soon as it connects it will try to redownload. But even without an internet connection of any kind it still replicates within whatever gets left over after each virus scan.

[Lisandro]

I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use AVG Antispyware; SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

[opticalnoise]

Here is my update:

I disabled system restore, rebooted and did another preboot scan, and my computer didn't claim to find anymore viruses. After rebooting again, it started to find 30-40 more infections immediately. I'm now not able to get any kind of internet connection on this machine, and so I have had to switch to a different computer in order to post this, and download what you suggested.

I installed all of the extra software you suggested, did all the spyware immunizations, ran the rootkit intensive scan (nothing came up), and ran the hijackthis log, here it is:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:37:02 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IRW.exe
C:\Program Files\Apple Keyboard Support\KbdMgr.exe
C:\WINDOWS\system32\Brightness.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Thunder\Program\Thunder5.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\HiJackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder\ComDlls\TDAtOnce_Now.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder\ComDlls\xunleiBHO_Now.dll

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe

O4 - HKLM\..\Run: [Apple_KbdMgr] "C:\Program Files\Apple Keyboard Support\KbdMgr.exe"

O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Thunder] "C:\Program Files\Thunder\Thunder.exe" /s

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe

O4 - HKLM\..\Run: [NVDispDrv] C:\WINDOWS\NVDispDrv.exE

O4 - HKLM\..\Run: [GenProtect] C:\WINDOWS\GenProtect.exe

O4 - HKLM\..\Run: [WinForm] C:\WINDOWS\WinForm.exe

O4 - HKLM\..\Run: [MsIMMs32] C:\WINDOWS\MsIMMs32.exe

O4 - HKLM\..\Run: [Kvsc3] C:\WINDOWS\Kvsc3.exe

O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe

O4 - HKLM\..\Run: [AVPSrv] C:\WINDOWS\AVPSrv.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKLM\..\Policies\Explorer\Run: [comrepl32] C:\windows\system32\com\comrepl32.exe

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Tencent QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe

O4 - Startup: ??QQ.lnk

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Add to QQ Customized Emoticons - C:\Program Files\Tencent\QQ\AddEmotion.htm

O8 - Extra context menu item: Add to QQ Customized Panel - C:\Program Files\Tencent\QQ\AddPanel.htm

O8 - Extra context menu item: Add to QQ Emotions - C:\Program Files\Tencent\QQ\AddEmotion.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Send picture by MMS - C:\Program Files\Tencent\QQ\SendMMS.htm

O8 - Extra context menu item: Send Picture with QQ MMS - C:\Program Files\Tencent\QQ\SendMMS.htm

O8 - Extra context menu item: Upload to QQ Network Hard Disk - C:\Program Files\Tencent\QQ\AddToNetDisk.htm

O8 - Extra context menu item:  π”√—∏¿◊œ¬‘ÿ - C:\Program Files\Thunder\Program\geturl.htm

O8 - Extra context menu item:  π”√—∏¿◊œ¬‘ÿ»´≤ø¡¥Ω” - C:\Program Files\Thunder\Program\getallurl.htm

O9 - Extra button: ∆Ù∂Ø—∏¿◊5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder\Thunder.exe

O9 - Extra 'Tools' menuitem: ∆Ù∂Ø—∏¿◊5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder\Thunder.exe

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Broken Internet access because of LSP provider 'c:\windows\system32\sqmapi32.dll' missing

O16 - DPF: {19EFFC12-25FB-479A-A0F2-1569AE1B3365} - http://60.190.222.235/window.cab

O16 - DPF: {1DABF8D5-8430-4985-9B7F-A30E53D709B3} (InstallHelper Class) - http://cache.tv.qq.com/qqlive_ocx/QQLiveInstaller.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183400699750

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183407720875

O16 - DPF: {C728DAB8-FDF5-4CD7-89DD-879D25794C77} (KooPlayer Control) - http://www.cctv.com/p2p/tvkoo/cctvplayer.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: avzxemn.dll

O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

[galooma]

can you run HJT again and open misc tools section and generate a start up list and post that

[opticalnoise]

I did some more testing and I've definetely proven that the infection is respawning itself via the internet. I installed a firewall after wiping all the viruses and was infection free for 2 days. I then shut off the firewall and after 1 hour the scanner found 20 new infected files of the same 4 viruses. Ok so I've found a way to make the viruses be unable to propagate, but how do I shut off the mechanism that is causing the propagation in the first place?

[DavidR]

It has to be identified, that I believe was why Cloussau asked you to generate a start-up list.

Your firewall (what did you install ?) should have been blocking the unauthorised outbound Internet Connections, which will have been downloading this cr*p. So it too should have given an alert with the file name that you blocked.

I have had a quick look at your old HJT log and there is a lot of questionable entries.

Can you post a new log file (don't edit the contents, line spacing, etc.) and we will see if we can't find any others.

Did you follow Tech advice on the other applications, is so which did you try ?

[Lisandro]

I've found a way to make the viruses be unable to propagate, but how do I shut off the mechanism that is causing the propagation in the first place?

Be clean...
Antitrojan and antispyware scanning are advisable.
If you don't want to install any, use on-line ones:
Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
AVGas (does not necessary if you have AVG antispyware installed)
F-Secure
BitDefender (free removal of the malware)
HitmanPro (multiply scanners)

[essexboy]

One or more of the identified infections is a backdoor Trojan and a key logger.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.

• Please download LSPFix from here.
  
• Run the LSPFix.exe that you have just finished downloading.
• Check the I know what I'm doing box.
  
• In the Keep box you should see one or more instances of sqmapi32.dll.
  
• Select every instance of sqmapi32.dll and move each one to the Remove box by clicking the >> button.
  
• When you are done click Finish>>.
  

________________________

Please re-open HiJackThis and scan.  Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe
O4 - HKLM\..\Run: [GenProtect] C:\WINDOWS\GenProtect.exe
O4 - HKLM\..\Run: [WinForm] C:\WINDOWS\WinForm.exe
O4 - HKLM\..\Run: [MsIMMs32] C:\WINDOWS\MsIMMs32.exe
O4 - HKLM\..\Run: [Kvsc3] C:\WINDOWS\Kvsc3.exe
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe
O4 - HKLM\..\Run: [AVPSrv] C:\WINDOWS\AVPSrv.exe
O4 - HKLM\..\Policies\Explorer\Run: [comrepl32] C:\windows\system32\com\comrepl32.exe
O16 - DPF: {19EFFC12-25FB-479A-A0F2-1569AE1B3365} - http://60.190.222.235/window.cab
O20 - AppInit_DLLs: avzxemn.dll


Now close all windows other than HiJackThis, then click Fix Checked.  Close HiJackThis. 

____________________________________

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\upxdnd.exe
C:\WINDOWS\GenProtect.exe
C:\WINDOWS\WinForm.exe
C:\WINDOWS\MsIMMs32.exe
C:\WINDOWS\Kvsc3.exe
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\AVPSrv.exe
C:\windows\system32\com\comrepl32.exe


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

_________________________________

Download ComboFix from Here or Here to your Desktop.

• Double click combofix.exe and follow the prompts.
  
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
  

Note: Do not mouseclick combofix's window while its running. That may cause it to stall