Surabaya/birthday virus

Viruses and worms
21
Is the birthday still appearing at logon ?

Yes it is.

22

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

S3 BprotectEx; \??\C:\Windows\System32\drivers\BprotectEx.sys [X] EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

23

Thanks. I will do this, but I won’t have access to the computer in-question for another ~14 hours.

24

OK I followed your directions. I created the new fixlist.txt and ran FRST as directed. Again it encountered the same Windows error message, “Farbar Recovery Scan Tool has stopped working.” I have attached the details of that error to this (FRST-error.txt), along with the FRST log (Fixlog.txt).

I then ran TDSSKiller as instructed. It ran for ~45 seconds and found no threats or suspicious objects. I have attached the report (TDSSKiller-report.txt).

25

OK that confirms the MBR is good so next we will look for altered system files

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

26

OK I carried out those steps. I have attached the ComboFix log, ComboFix.txt. One small issue I noticed after it ran was that I did not disable Windows Defender (it wasn’t in the systray, so I didn’t know it was running). I hope that wasn’t an issue.

After ComboFix completed, I re-booted, and the ‘birthday’ welcome screen was gone. Additionally, I could again see all of my folders in Windows Explorer. So the 2 main symptoms of the virus appear to be gone. Good news.

Are there any more steps I need/should carry out?

27

Intriguing I had already removed that task

So could you run the computer as normal for 24 hours and if it does not re-appear I shall tidy up

28

So could you run the computer as normal for 24 hours

OK I will do so. It may take ~48 hours to report back though.

29

No problem

30

OK the computer was used normally for 24 hours and it remains symptom-free. Thanks for all of that. I have a few more follow-up questions though:

  1. What should I do if I contract the virus in the future. Should I follow the same steps I did this time (post to this forum and send log files/instructions back and forth)? Or when you say, “…I shall tidy up,” does this mean that you will somehow prepare some all-in-one, mostly-self-running application for future cleaning/removal of this virus?

  2. Most importantly, how can I protect myself from this virus in the future? A handful of computers on my network have contracted this virus, despite being up to date with Avast (as well as all Windows updates). Is there anything else that I can/should keep up to date that will help with prevention? Or perhaps what we learned in this exercise will be implemented into a future Avast virus update?

Thanks again for your help.

31

Please report back to the forum even if it is after 48 hours so that we know everything is OK from this fix. Essexboy will give you tips on how to remain clean of malware in the future.

Should you get malware in the future, open a new thread and attach the logs like you did in the beginning. Each log is analyzed and malware changes so frequently, so it is possible that the malware you got this time will not be the same next time. Do not attempt to fix it on your own because people like Essexboy create specialized programs based on the logs you give us to remove the malware, and you would not be able to interpret them, create the programs, nor remove them from your machine. We are here 24/7 and we are free, so feel free to use us.

Please get back to us when you can and let us know that everything is working OK or not. If not, let us know right away. Thank you for letting us assist you. :slight_smile:

32

The malware was part of a firefox extension, once it had created a task it was self replicating after you tried to remove it

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Click Start then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
In the box copy/paste the following command:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

Then click OK (or press Enter ).
Wait for the uninstall process to complete.

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

33

OK I carried out the clean-up instructions without issue.

Again, thanks for everything.

34

My pleasure :slight_smile: