Surabaya/birthday virus

I’ve contracted a virus on my Win 7 machine. It’s the Surabaya virus, with one of the hallmarks being a pop up window during the Windows welcome screen that reads:

Surabaya in my birthday Don't kill me, I'm just send message from your computer

Then a handful of lines of Indonesian text, with a lone “OK” button at the bottom. Other symptoms include not seeing any folders in Windows Explorer (even though they exist–I can access them by typing them into Win Explorer). Any ideas on how I can rid myself of this? Maybe it goes by another name?

Further info:

I have been using the latest version of Avast, with the latest definitions.

The only thing on the Avast forums I’ve found is this thread, https://forum.avast.com/index.php?topic=62934.msg531272#msg531272 It recommended to try MalwareBytes. I ran it but it found nothing.

I can find information about this with a Google search, but nothing from the trusted names in antivirus (Avast, Norton, AVG, Microsoft). All the hits are from small sites I’ve never heard of. Each of these sites contains different removal directions, with the lone similarity being that I have to download and install its own malware remover/scanner. I’ve tried about 3 of these, and none have worked.

Any thoughts on how I can resolve/troubleshoot further?

FYI the virus even runs when I boot to safe mode.

follow instructions here https://forum.avast.com/index.php?topic=53253.0
scroll down to Farbar Recovery Scan Tool and attach logs here…

Thanks for the reply. But should I start at the Farbar Recovery Scan Tool and carry out the “aswMBR.exe” instructions as well? Or should I carry out JUST the Farbar instructions?

Just Farbar now…

Got it, thanks.

OK I ran it with the defaults and have attached both logs: FRST.txt and Addition.txt.

Removal team is notified

Great thanks. It’s my first time here though, so what does that mean exactly? There’s an Avast team that will analyze those results and get back to me? In this forum?

Removal team = trained and certified malware removers
If you click the link i gave in first post and read the info … there names are listed there :wink:

And yes, they will look at the logs and then assist you in removing the infection

Got it, thanks.

Hi you will need to manually reset chrome home as my tools will not do that

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

Task: C:\Windows\Tasks\FF Watcher {210DAFA9-EC4C-4975-8C07-82F86DB0FA3E}.job => C:\Program Files\V-bates\PrefHelper.exe <==== ATTENTION HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://th.hao123.com/?tn=smt_pay_hp_06_hao123_th EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be located under the logs tab on the main page

And post that

FINALLY

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Thanks for the quick reply. I am unclear on a few things though:

  1. you will need to manually reset chrome home as my tools will not do that

I am unclear what you mean by this. Are you saying I need to reset my homepage in Chrome? When should I do that?

  1. Plug in the drive and McShield will start a scan.

Sorry, to what drive are you referring? The infected drive in-question is the sole hard drive in a laptop.

Thanks!

1. >> you will need to manually reset chrome home as my tools will not do that

I am unclear what you mean by this. Are you saying I need to reset my homepage in Chrome? When should I do that?


after you have run the tools … i will post a how to do it

2. >> Plug in the drive and McShield will start a scan.

Sorry, to what drive are you referring? The infected drive in-question is the sole hard drive in a laptop.


if you have any removable drives … plug them in after you have installed MCShield … and post allscan.txt log

how to resett chrome https://support.google.com/chrome/answer/3296214?hl=en

OK thanks. This will have to wait ~12-15 hours on my end :-/

OK … Essexboy is usually here after work hours, european time

OK I attempted to follow @essexboy’s instructions. In the first step, I copied the text to fixlist.txt, saved it to the same location as FRST, and ran FRST with the option to “Fix.” After about 30 seconds, the application encountered a Windows error, “Farbar Recovery Scan Tool has stopped working.” I have attached a screenshot of that, FRST-error.jpg. I have also attached the Windows details, FRST-error.txt. And finally, FRST also created a log of that entire process, which I have attached, Fixlog.txt.

I decided to stop here and relay this info before continuing. Please advise.

Thank you for posting your logs. At this point since you are having problems, do nothing and wait for Essexboy to give you further instructions. He comes on the forum later in the day, so please be patient. Thank you.

Will do, thanks.

Is the birthday still appearing at logon ?