How to get rid of virus dropper "install.exe"??

Hello,

A PC was infected by a Trojan/rootkit/etc dropper called “install.exe” and I am trying to fix it. This happened last Thursday night and I tried to clean it with no success. The file resides initially in System Volume Information folder, but then it multiplies and copies itself in other folders. If the PC is connected to the Internet in a couple of seconds I have several Trojan generators and rootkits downloaded. Avast detect them but can’t delete them.

I run Avast first and found it, but can’t delete it, so then I asked for moving the file to chest and delete from there, and gave me error messages.

On Friday, I run the PC in Safe Mode with Malwarebytes and found some files and also modifications on the registry and I cleaned it.

Then I connected the PC to the internet to update Avast and Malwarebytes, this also means more nasty viruses downloaded. I run Malwarebytes and Avast and because the trouble of deleting the install.exe I asked to rename it and move it, again no success. The viruses by this time also sent the “ntfs.sys” file to chest. Once I Avast finished I cleaned the chest and delete it the ntfs.sys file and the PC did not started thereafter.

This morning I downloaded the Avira Rescue CD file and could start and check for viruses, over 10 files were renamed.

Then, the Windows XP was used to repair Windows XP, in fact I just copied the ntfs.sys file and the PC was able to start.

Once the PC was able to reboot, I started it in Safe Mode, run Malwarebytes followed by Avast, but this time I asked for a boot virus check and moving files to chest. In the report again the ntfs.sys file was moved. Once Avast finished HijackThis run to save the log.

I thought in installing Avira to clean those rename files, but I need to update the database and this means to plug the PC to the internet which also means more viruses will download.

I attached the Malwarebytes, Avast and Hijackthis reports for more details about this problem.

I will appreciate if someone can assist me to get rid of this file and what shall I do next to clean the PC.

Thanks in advance.

Carlos

Hijack This Findings:

b Firewall[/b]
You are either using no firewall at all or using XP’s Firewall. Enhance your protection by installing a firewall that has Outbound Protection. Examples are: PCTools, Online Armor, Agnitum Outpost.

b Fix these entries [tick check]:[/b]
O4 - HKUS\S-1-5-18..\Run: [braviax] (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [braviax] (User ‘Default user’)

*Both are parts of braviax

b Unknown ActiveX’s[/b]
Clear your temporary internet files to get rid of some of it.


An analysis of your HJT log shows the following problems :

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.

O4 - HKUS\S-1-5-18..\Run: [braviax] (User ‘SYSTEM’)
Startup entry for the Trojan.Virantix.C trojan.
http://www.bleepingcomputer.com/startups/braviax.exe-21759.html

O4 - HKUS.DEFAULT..\Run: [braviax] (User ‘Default user’)
Same as above. I suggest you use malwarebytes antimalware for removal.
http://www.malwarebytes.org/mbam.php (download the free version, install it, update it, run a scan, and allow it to fix/remove what it finds.

About those 3 ActiveX entries L’Arc mentioned :

O16 - DPF: {O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) -
Related to macromedia.
http://www.spyandseek.com/Search.php?search_for=233C1507-6A77-46A4-9443-F871F945D258&search=SAS-Search (12th & 13th entries on list)

O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} -
Related to Hewlett-Packard Printer Diagnostics.
http://www.spyandseek.com/Search.php?search_for=33415AC7-AFFA-4D55-B41C-C64C0D07DFCA&search=SAS-Search (1st entry on list)

O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} -
Related to Hewlett-Packard support.
http://www.spyandseek.com/Search.php?search_for=A796D216-2DE1-4EA8-BABB-FE6E7C959098&search=SAS-Search (3rd & 4th entries on list)

I do not think there is any worry about those 3 above entries.

Overview of running tasks :

smss.exe
System task
Session Manager Subsystem

winlogon.exe
System task
Microsoft Windows Logon Process

services.exe
System task
Windows Service Controller

lsass.exe
System task
Local Security Authority Service

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

aswUpdSv.exe
Virusscan
Avast Anti-Virus Component

ashServ.exe
Virusscan
Avast

spoolsv.exe
System task
Microsoft Printer Spooler Service

AppleMobileDeviceService.exe
Backgroundtask
Apple Mobile Device Service

mDNSResponder.exe
Backgroundtask
Bonjour for Windows Component

btwdins.exe
System task
Microsoft Bluetooth Service

svchost.exe
System task
Microsoft Service Host Process

Iaantmon.exe
Driver
Intel Application Accelerator Component

jqs.exe
Backgroundtask
jqs.exe (Java Quick Starter)

svchost.exe
System task
Microsoft Service Host Process

PD91Agent.exe
Backgroundtask
PD91Agent ( Perfectdisk agent )

svchost.exe
System task
Microsoft Service Host Process

Explorer.EXE
System task
Microsoft Windows Explorer

svchost.exe
System task
Microsoft Service Host Process

ashDisp.exe
Virusscan
Avast AntiVirus

realsched.exe
Application
RealNetworks Scheduler

jusched.exe
Backgroundtask
Sun Java Update Scheduler

stsystra.exe
Driver
SigmaTel C-Major Audio Tray App

igfxpers.exe
Driver
Intel Common User Interface Module

iTunesHelper.exe
Application
Apple Itunes

issch.exe
Application
InstallShield Update Service

Iaanotif.exe
Driver
Event Monitor User

mpm.exe
Backgroundtask
Reports battery status on a portable printer

HPWuSchd2.exe
Backgroundtask
Hewlett Packard Software Update Scheduler

hkcmd.exe
Application
Intel multimedia devices

GoogleDesktop.exe
Backgroundtask
Google Desktop Search

DMXLauncher.exe
Backgroundtask
Dell Media Experience

DLACTRLW.EXE
Backgroundtask
Sonic Solutions Drive Letter Access (DLA)

Reader_sl.exe
Backgroundtask
Adobe Reader Speed Launch

Reader_sl.exe
Backgroundtask
Adobe Reader Speed Launch

Acrotray.exe
Backgroundtask
Acrobat Traybar Assistant

GoogleToolbarNotifier.exe
Backgroundtask
GoogleToolbarNotifier

TeaTimer.exe
Application
Spybot S&D Realtime Scanner

AcroDist.exe
Backgroundtask
Adobe Acrobat Distiller

MMonitor.exe
Backgroundtask
TMMonitor

MsnMsgr.Exe
Application
MSN Messenger

MsnMsgr.Exe
Backgroundtask
MsnMsgr.Exe

ctfmon.exe
System task
Alternative User Input Services

acrobat_sl.exe
Backgroundtask
Adobe Acrobat Speed Launcher

BTTray.exe
Driver
Widcomms Bluetooth Tray Application

DLG.exe
Backgroundtask
Detects whether your are plugged into a digital telephone line and displays the information graphically.

GoogleDesktopIndex.exe
Backgroundtask
Google Desktop Search

hpqtra08.exe
Backgroundtask
Hewlett Packard Imaging

EasyShare.exe
Backgroundtask
Software bundled with Kodak digital cameras to manage the connection between the PC and the Camera.

BTSTAC~1.EXE
Driver
Bluetooth Stack COM Server

msoffice.exe
Backgroundtask
Microsoft Office Shortcut Bar

wuauclt.exe
System task
AutoUpdate Client

ashMaiSv.exe
Virusscan
Avast Anti-Virus Component

ashWebSv.exe
Virusscan
avast! Web Scanner

iPodService.exe
Backgroundtask
Apple iTunes

hpqSTE08.exe
Driver
HP Imaging

hpqbam08.exe
Driver
HPQBAM00

hpqgpc01.exe
Driver
GPRootImpl.exe

HijackThis.exe
Application
Merijn Hijackthis


Hi cdestefani,

Braviax is a malware that milks money from people by displaying misleading alerts. Braviax (also known as Cru629) appears as an icon in a system tray that mimics notifications loaded by operating system. Cru629 also loads annoying commercial pop-ups. The purpose of all the alerts loaded by Braviax is the same: to scare people and gain a purchase.
Do not trust Braviax and don’t download anything it offers! Braviax is a rogue security application. Braviax/Cru629 may download additional malware and spyware on the compromised system

Remove using MBAM from here: http://www.malwarebytes.org/mbam-download.php

polonus

Thanks for the answers and suggestions. I would like to make clear a couple of points:

Firewall
I am using the Windows XP Firewall, but during the last couple of months at least, when I start the PC a little message comes up saying that my firewall is disable. I search for this issue on the net, but it seems that was not of a concern. Then I checked it and it was ON. This was suspicious to me, but I left it there.

During this virus attack I rechecked it and it was OFF, I assumed that this time was set OFF by one of the viruses.

Is there any freeware reliable Firewall that anyone is aware of?

Key Entries
How do I clean all those entries? I will appreciate some more explanation. Do I use Hijackthis?

Thanks

L’arc mentioned some good free firewalls: PC Tools, Online Armour, and Agnitum Outpost. Also, Comodo installed as a standalone is good, but it can be confusing if you don’t know much about firewalls.

Don’t worry about fixing the entries in Hijack This but rather download, update and run Malwarebytes from here. Malwarebytes will find the malware and you will be able to remove it.

I have installed on that PC Malwarebytes’ Anti-Malware 1.40 with database version 2627 from 8/14/2009

I run it in both Windows: standard and safe mode and the results of these scans are the same: “No Malicious items were found”

I do not want to connect this PC to the net because more viruses will download. It seems to me that there must be another way to tackle this problem, may be deleting those entries could be useful. What do you think?

I had already downloaded PCTools Firewall, do I install now or after the PC is clean?

Thanks

You can fix those 04 entries, suggested by L’ arc.
O4 - HKUS\S-1-5-18..\Run: [braviax] (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [braviax] (User ‘Default user’)
then reboot.
As for the renamed files found by Avira, they should be inactive, and deletable. Do you have the names of the files ?
Also try this tool, its a standalone tool,run it in safe mode
http://www.freedrweb.com/cureit/

I would download and install:
User Profile Hive Cleanup Service:
Brief Description
A service to help with slow log off and unreconciled profile problems.
http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

Go to Add/Remove Programs and uninstall all Adobe Readers as they are vulnerable to attack:

If you must use Adobe Reader then update to 9.1:
http://get.adobe.com/reader <== un-select Google Toolbar if you do not want it

Update to IE8:
Stay safer online
http://www.microsoft.com/windows/internet-explorer/default.aspx

Download:
http://www.microsoft.com/windows/internet-explorer/worldwide-sites.aspx

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

I deleted those two entries, HijackThis log is attached.

Also all the rename files by Avira were deleted.

I will visit now the www.freedweb.com site and run the utility.

Can anyone tell me if the HijackThis log indicates any infected entry? I would like to clean the PC, install the PCTools Firewall and then connected to the net.

Thanks to all of you with the inputs and suggestion about this trouble.

Congratulations. The log seems to show good results. Nothing seem to be wrong.

I will visit now the www.freedweb.com site and run the utility.

By the way, its www.freedrweb.com :wink:

There still is a bit more work to do as not all vulnerable Adobe files have been removed as these entries still remain:
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

Remove these as well:
O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} -
O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} -

You need to run HijackThis in Normal mode then post a new log after you have completely un-installed Adobe.

L’arc:

I run the DrWeb CureIt and found a few trojans in the System Volume Information Folder. However, there was one in _restore{202550A8-7A33-4BCA …}\RP1\A0000028.exe.xxx with the “install.exe” file saying that was “Trojan.MulDrop.31739”. When I Select All and then click Delete them. It was not selected and haven’t showed any delete result. It seems to me the file still is in the HD.

I will leave it till tomorrow, download DrWeb CureIt again, run it and see if the new virus database tell me something.

YoKenny,

The 08 entries are from my Adobe Acrobat 7.0 that I use it for making pdf files, I can’t delete them neither uninstall it. I will remove the Reader V9.0. I think that once the cleaning process finishes, I will install the PCTool Firewall and it should protect the PC and it will cover somehow the Adobe Acrobat potential risk.

What are those two entries 016 - DPF??

Tomorrow I will send the new log after I get more results.

Thanks.

You should not concern yourself with any entries in system restore. The file restore{202550A8-7A33-4BCA …}\RP1\A0000028.exe.xxx is a file renamed/deactivated by Avira.

micky77

I agree with you that is a renamed file by Avira, but since it has a potential thread, I woud like to delete it too.

In your opinion is there any chance that the file could become active again?

Thanks

Normally, any threat, that is renamed,eg,virus.exe, to to,virus.exe.xxx,is dead,and can be easily deleted.This file was found in system restore, which is no worry anyway.I would disable system restore, then re-enable.


Please read my above post (reply #2) for information about those 016 entries.


Well, this is an update.

I install the PCTool Firewall.

YoKenny,

I searched for those 016 entries and in a HijackThis report says:

O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab

I do not think I will delete them, the PC has two HP printers connected.

I attach the last HijackThis log running XP Standard mode.

Any comments will be much appreciated.

Thanks.


A better looking HJT log. There were only 4 questionable entries but they are OK.

Three of the questionable entries were the 016 entries that we know to be OK and this one which is also OK :

C:\DOCUME~1\Lucila\LOCALS~1\Temp\AdskCleanup.0001
Belongs to the software Macrovision Europe Ltd. Cleanup by Macrovision Europe Ltd (www.macrovision.com).
http://www.file.net/process/adskcleanup.0001.html

So, is everything running correctly now?


Micky77

Thanks for the tip on disabling/enabling system restore.

CharleyO,

Thanks for your help with the O16 Entries and the last one you mentioned.

The PC is working fine. The only thing now is getting familiar with the Firewall, but apart from that everything is OK.

I would like to thank to all of you that assist me with this trouble.

I hope the PC will go fine for quite sometime now.