How to get rid of virus dropper "install.exe"??

[cdestefani]

Hello,

A PC was infected by a Trojan/rootkit/etc dropper called “install.exe” and I am trying to fix it. This happened last Thursday night and I tried to clean it with no success. The file resides initially in System Volume Information folder, but then it multiplies and copies itself in other folders. If the PC is connected to the Internet in a couple of seconds I have several Trojan generators and rootkits downloaded. Avast detect them but can’t delete them.

I run Avast first and found it, but can’t delete it, so then I asked for moving the file to chest and delete from there, and gave me error messages.

On Friday, I run the PC in Safe Mode with Malwarebytes and found some files and also modifications on the registry and I cleaned it.

Then I connected the PC to the internet to update Avast and Malwarebytes, this also means more nasty viruses downloaded. I run Malwarebytes and Avast and because the trouble of deleting the install.exe I asked to rename it and move it, again no success. The viruses by this time also sent the “ntfs.sys” file to chest. Once I Avast finished I cleaned the chest and delete it the ntfs.sys file and the PC did not started thereafter.

This morning I downloaded the Avira Rescue CD file and could start and check for viruses, over 10 files were renamed.

Then, the Windows XP was used to repair Windows XP, in fact I just copied the ntfs.sys file and the PC was able to start.

Once the PC was able to reboot, I started it in Safe Mode, run Malwarebytes followed by Avast, but this time I asked for a boot virus check and moving files to chest. In the report again the ntfs.sys file was moved. Once Avast finished HijackThis run to save the log.

I thought in installing Avira to clean those rename files, but I need to update the database and this means to plug the PC to the internet which also means more viruses will download.

I attached the Malwarebytes, Avast and Hijackthis reports for more details about this problem.

I will appreciate if someone can assist me to get rid of this file and what shall I do next to clean the PC.

Thanks in advance.

Carlos
=

[.: L' arc :.]

Hijack This Findings:

(1) Firewall
     You are either using no firewall at all or using XP's Firewall. Enhance your protection by installing a firewall that has Outbound Protection. Examples are: PCTools, Online Armor, Agnitum Outpost.

(2) Fix these entries [tick check]:
     O4 - HKUS\S-1-5-18\..\Run: [braviax] (User 'SYSTEM')
     O4 - HKUS\.DEFAULT\..\Run: [braviax] (User 'Default user')

 *Both are parts of braviax

(3) Unknown ActiveX's
     Clear your temporary internet files to get rid of some of it.

[CharleyO]

***

An analysis of your HJT log shows the following problems :

We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall.


O4 - HKUS\S-1-5-18\..\Run: [braviax] (User 'SYSTEM')
Startup entry for the Trojan.Virantix.C trojan.
http://www.bleepingcomputer.com/startups/braviax.exe-21759.html

O4 - HKUS\.DEFAULT\..\Run: [braviax] (User 'Default user')
Same as above. I suggest you use malwarebytes antimalware for removal.
http://www.malwarebytes.org/mbam.php   (download the free version, install it, update it, run a scan, and allow it to fix/remove what it finds.

About those 3 ActiveX entries L'Arc mentioned :

O16 - DPF: {O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) -
Related to macromedia.
http://www.spyandseek.com/Search.php?search_for=233C1507-6A77-46A4-9443-F871F945D258&search=SAS-Search   (12th & 13th entries on list)

O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} -
Related to Hewlett-Packard Printer Diagnostics.
http://www.spyandseek.com/Search.php?search_for=33415AC7-AFFA-4D55-B41C-C64C0D07DFCA&search=SAS-Search   (1st entry on list)

O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} -
Related to Hewlett-Packard support.
http://www.spyandseek.com/Search.php?search_for=A796D216-2DE1-4EA8-BABB-FE6E7C959098&search=SAS-Search   (3rd & 4th entries on list)

I do not think there is any worry about those 3 above entries.



Overview of running tasks :

smss.exe   
System task   
Session Manager Subsystem

winlogon.exe   
System task   
Microsoft Windows Logon Process

services.exe   
System task   
Windows Service Controller

lsass.exe   
System task   
Local Security Authority Service

svchost.exe   
System task   
Microsoft Service Host Process

svchost.exe   
System task   
Microsoft Service Host Process

aswUpdSv.exe   
Virusscan   
Avast Anti-Virus Component

ashServ.exe   
Virusscan   
Avast

spoolsv.exe   
System task   
Microsoft Printer Spooler Service

AppleMobileDeviceService.exe   
Backgroundtask   
Apple Mobile Device Service

mDNSResponder.exe   
Backgroundtask   
Bonjour for Windows Component

btwdins.exe   
System task   
Microsoft Bluetooth Service

svchost.exe   
System task   
Microsoft Service Host Process

Iaantmon.exe   
Driver   
Intel Application Accelerator Component

jqs.exe   
Backgroundtask   
jqs.exe                (Java Quick Starter)

svchost.exe   
System task   
Microsoft Service Host Process

PD91Agent.exe   
Backgroundtask   
PD91Agent            ( Perfectdisk agent )

svchost.exe   
System task   
Microsoft Service Host Process

Explorer.EXE   
System task   
Microsoft Windows Explorer

svchost.exe   
System task   
Microsoft Service Host Process

ashDisp.exe   
Virusscan   
Avast AntiVirus

realsched.exe   
Application   
RealNetworks Scheduler

jusched.exe   
Backgroundtask   
Sun Java Update Scheduler

stsystra.exe   
Driver   
SigmaTel C-Major Audio Tray App

igfxpers.exe   
Driver   
Intel Common User Interface Module

iTunesHelper.exe   
Application   
Apple Itunes

issch.exe   
Application   
InstallShield Update Service

Iaanotif.exe   
Driver   
Event Monitor User

mpm.exe   
Backgroundtask   
Reports battery status on a portable printer

HPWuSchd2.exe   
Backgroundtask   
Hewlett Packard Software Update Scheduler

hkcmd.exe   
Application   
Intel multimedia devices

GoogleDesktop.exe   
Backgroundtask   
Google Desktop Search

DMXLauncher.exe   
Backgroundtask   
Dell Media Experience

DLACTRLW.EXE   
Backgroundtask   
Sonic Solutions Drive Letter Access (DLA)

Reader_sl.exe   
Backgroundtask   
Adobe Reader Speed Launch

Reader_sl.exe   
Backgroundtask   
Adobe Reader Speed Launch

Acrotray.exe   
Backgroundtask   
Acrobat Traybar Assistant

GoogleToolbarNotifier.exe   
Backgroundtask   
GoogleToolbarNotifier

TeaTimer.exe   
Application   
Spybot S&D Realtime Scanner

AcroDist.exe   
Backgroundtask   
Adobe Acrobat Distiller

MMonitor.exe   
Backgroundtask   
TMMonitor

MsnMsgr.Exe   
Application   
MSN Messenger

MsnMsgr.Exe   
Backgroundtask   
MsnMsgr.Exe

ctfmon.exe   
System task   
Alternative User Input Services

acrobat_sl.exe   
Backgroundtask   
Adobe Acrobat Speed Launcher

BTTray.exe   
Driver   
Widcomms Bluetooth Tray Application

DLG.exe   
Backgroundtask   
Detects whether your are plugged into a digital telephone line and displays the information graphically.

GoogleDesktopIndex.exe   
Backgroundtask   
Google Desktop Search

hpqtra08.exe   
Backgroundtask   
Hewlett Packard Imaging

EasyShare.exe   
Backgroundtask   
Software bundled with Kodak digital cameras to manage the connection between the PC and the Camera.

BTSTAC~1.EXE   
Driver   
Bluetooth Stack COM Server

msoffice.exe   
Backgroundtask   
Microsoft Office Shortcut Bar

wuauclt.exe   
System task   
AutoUpdate Client

ashMaiSv.exe   
Virusscan   
Avast Anti-Virus Component

ashWebSv.exe   
Virusscan   
avast! Web Scanner

iPodService.exe   
Backgroundtask   
Apple iTunes

hpqSTE08.exe   
Driver   
HP Imaging

hpqbam08.exe   
Driver   
HPQBAM00

hpqgpc01.exe   
Driver   
GPRootImpl.exe

HijackThis.exe   
Application   
Merijn Hijackthis


***

[polonus]

Hi cdestefani,

Braviax is a malware that milks money from people by displaying misleading alerts. Braviax (also known as Cru629) appears as an icon in a system tray that mimics notifications loaded by operating system. Cru629 also loads annoying commercial pop-ups. The purpose of all the alerts loaded by Braviax is the same: to scare people and gain a purchase.
Do not trust Braviax and don’t download anything it offers! Braviax is a rogue security application. Braviax/Cru629 may download additional malware and spyware on the compromised system

Remove using MBAM from here:  http://www.malwarebytes.org/mbam-download.php

polonus

[cdestefani]

Thanks for the answers and suggestions. I would like to make clear a couple of points:

Firewall
I am using the Windows XP Firewall, but during the last couple of months at least, when I start the PC a little message comes up saying that my firewall is disable. I search for this issue on the net, but it seems that was not of a concern. Then I checked it and it was ON. This was suspicious to me, but I left it there.

During this virus attack I rechecked it and it was OFF, I assumed that this time was set OFF by one of the viruses.

Is there any freeware reliable Firewall that anyone is aware of?

Key Entries
How do I clean all those entries? I will appreciate some more explanation. Do I use Hijackthis?

Thanks

[yawetage]

L'arc mentioned some good free firewalls: PC Tools, Online Armour, and Agnitum Outpost. Also, Comodo installed as a standalone is good, but it can be confusing if you don't know much about firewalls.

Don't worry about fixing the entries in Hijack This but rather download, update and run Malwarebytes from here. Malwarebytes will find the malware and you will be able to remove it.

[cdestefani]

I have installed on that PC Malwarebytes' Anti-Malware 1.40 with database version 2627 from 8/14/2009

I run it in both Windows: standard and safe mode and the results of these scans are the same: "No Malicious items were found"

I do not want to connect this PC to the net because more viruses will download. It seems to me that there must be another way to tackle this problem, may be deleting those entries could be useful. What do you think?

I had already downloaded PCTools Firewall, do I install now or after the PC is clean?

Thanks

[micky77]

You can fix those 04 entries, suggested by L' arc.     
O4 - HKUS\S-1-5-18\..\Run: [braviax] (User 'SYSTEM')
 O4 - HKUS\.DEFAULT\..\Run: [braviax] (User 'Default user')
then reboot.
As for the renamed files found by Avira, they should be inactive, and deletable. Do you have the names of the files ?
Also try this tool, its a standalone tool,run it in safe mode
http://www.freedrweb.com/cureit/

[YoKenny]

I would download and install:
User Profile Hive Cleanup Service:
Brief Description
A service to help with slow log off and unreconciled profile problems.
http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

Go to Add/Remove Programs and uninstall all Adobe Readers as they are vulnerable to attack:

If you must use Adobe Reader then update to 9.1:
http://get.adobe.com/reader <== un-select Google Toolbar if you do not want it

Update to IE8:
Stay safer online
http://www.microsoft.com/windows/internet-explorer/default.aspx

Download:
http://www.microsoft.com/windows/internet-explorer/worldwide-sites.aspx

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

[cdestefani]

I deleted those two entries, HijackThis log is attached.

Also all the rename files by Avira were deleted.

I will visit now the www.freedweb.com site and run the utility.

Can anyone tell me if the HijackThis log indicates any infected entry? I would like to clean the PC, install the PCTools Firewall and then connected to the net.

Thanks to all of you with the inputs and suggestion about this trouble.

[.: L' arc :.]

Can anyone tell me if the HijackThis log indicates any infected entry? I would like to clean the PC, install the PCTools Firewall and then connected to the net.

 Congratulations. The log seems to show good results. Nothing seem to be wrong.

I will visit now the www.freedweb.com site and run the utility.

 By the way, its www.freedrweb.com

[YoKenny]

There still is a bit more work to do as not all vulnerable Adobe files have been removed as these entries still remain:
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

Remove these as well:
O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} -
O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} -

You need to run HijackThis in Normal mode then post a new log after you have completely un-installed Adobe.

[cdestefani]

L'arc:

I run the DrWeb CureIt and found a few trojans in the System Volume Information Folder. However, there was one in \_restore{202550A8-7A33-4BCA ......}\RP1\A0000028.exe.xxx with the "install.exe"  file saying that was "Trojan.MulDrop.31739". When I Select All and then click Delete them. It was not selected and haven't showed any delete result. It seems to me the file still is in the HD.

I will leave it till tomorrow, download DrWeb CureIt again, run it and see if the new virus database tell me something.

YoKenny,

The 08 entries are from my Adobe Acrobat 7.0 that I use it for making pdf files, I can't delete them neither uninstall it. I will remove the Reader V9.0.  I think that once the cleaning process finishes, I will install the PCTool Firewall and it should protect the PC and it will cover somehow the Adobe Acrobat potential risk.

What are those two entries 016 - DPF??

Tomorrow I will send the new log after I get more results.

Thanks.

[micky77]

You should not concern yourself with any entries in system restore. The file restore{202550A8-7A33-4BCA ......}\RP1\A0000028.exe.xxx is a file renamed/deactivated by Avira.

[cdestefani]

micky77

I agree with you that is a renamed file by Avira, but since it has a potential thread, I woud like to delete it too.

In your opinion is there any chance that the file could become active again?

Thanks