"System fix" virus - is it gone? Need some advice on boot time scan log

Hi,

Yesterday I unfortunately got a virus with one of these fake-antivirus programs - “System Fix”, which resulted in that my desktop icons were gone, the wallpaper got changed, some links gone in the start menu were missing and some other minor changes. It also spammed me with a window saying my hdd failed (I think, at least some sort of critical error) and started a “scan”. The virus is described here: http://www.bleepingcomputer.com/virus-removal/remove-system-fix - and I followed their guide to remove it.

It seems to have disappeared. Before, once I started up my computer it would only take a few seconds until a bunch of these hdd failure windows popped up (or some other error, can’t remember now) - but that’s gone now, and I got my desktop icons back using the unhide app from bleepingcomputer. The TDSSKiller and RKill mentioned on Beelpingcomputers didn’t seem to do anything really, but I didn’t have any problems starting Malwarebyte Anti-Malware.

I ran Malwarebyte Anti-Malware in safemode with networking and it found 7 issues (3 Rogue.FakeHDD, 2 PUM.Hijack.StartMenu and 2 Trojan.Agent.Gen) - now they’re in the “quarantine” and when scanning a full scan now it doesn’t find anything. Should I go to the quarantine-tab and delete them? For reference here is the anti-malware log:

Malwarebytes Anti-Malware (Trial) 1.60.1.1000 www.malwarebytes.org

Database version: v2012.03.17.06

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421

Protection: Disabled

17-03-2012 19:37:25
mbam-log-2012-03-17 (19-37-25).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 691636
Time elapsed: 32 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|VwQGJwSURThVmE.exe (Rogue.FakeHDD) → Data: C:\ProgramData\VwQGJwSURThVmE.exe → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|GrpConv (Trojan.Agent.Gen) → Data: grpconv -o → Quarantined and deleted successfully.

Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) → Bad: (0) Good: (1) → Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) → Bad: (0) Good: (1) → Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\ProgramData\VwQGJwSURThVmE.exe (Rogue.FakeHDD) → Quarantined and deleted successfully.
C:\Users\Tobias\AppData\Local\Temp\aYY0MiDUjVhSiD.exe.tmp (Rogue.FakeHDD) → Quarantined and deleted successfully.
C:\Windows\System32\grpconv.exe (Trojan.Agent.Gen) → Quarantined and deleted successfully.

(end)

l also did a full system scans with Avast and Super Antispyware and they didn’t find any issues.

However I also did a boot-time scan with Avast and even though in the scan log that I can see in Windows it says no infections found, it did show up some issues in the scan itself - here is the log:

03/18/2012 12:28 Scan of all local drives

File C:\Program Files\Common Files\Autodesk Shared\DirectConnect2012 (64-bit)\Public\DevIL\DevIL-1.7.8.zip|>devil-1.7.8\configure Error 42125 {ZIP archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\827d676a7ccadfb12c8c0a5dc44229ac\BIT1CD9.tmp|>x64\LogiLDA.dll Error 42127 {CAB archive is corrupted.}
File E:\Documents-backup\Documents\Animation-Opgaver-Retning\s083472-“NAME REMOVED”\s082730-s083472-02565-2011-XSI.zip|>s082730-s083472-02565-2011-XSI\Soft11\Render_Pictures\Thumbs.db|>256_925a1d5f3253841d Error 42144 {OLE archive is corrupted.}
File E:\Downloads\Autodesk\Maya2012\x64\DirectConnect\DirectConnect6.0.cab|>DevIL_1.7.8.zip|>devil-1.7.8\configure Error 42125 {ZIP archive is corrupted.}
File E:\Downloads\HDRLS_Pro_Demo3_64bit (1).zip|>HDR Light Studio Pro Demo v3.0x64 Installer.exe Error 42125 {ZIP archive is corrupted.}
File E:\Downloads\HDRLS_Pro_Demo3_64bit.zip|>HDR Light Studio Pro Demo v3.0x64 Installer.exe Error 42125 {ZIP archive is corrupted.}
File E:\Downloads\mr_antiGravity_Ground_ShatteringFX (1).rar|>mr_antiGravity_Ground_ShatteringFX_\Scene.rar|>Scene\rode_diffuse.tga Error 42126 {RAR archive is corrupted.}
File E:\Downloads\mr_antiGravity_Ground_ShatteringFX (1).rar|>mr_antiGravity_Ground_ShatteringFX_\Scene.rar Error 42126 {RAR archive is corrupted.}
File F:\Documents\Animation-Opgaver-Retning\s083472-“NAME REMOVED”\s082730-s083472-02565-2011-XSI.zip|>s082730-s083472-02565-2011-XSI\Soft11\Render_Pictures\Thumbs.db|>256_925a1d5f3253841d Error 42144 {OLE archive is corrupted.}
File F:\Downloads\Autodesk\Maya_2012_EJ_Win_64-bit\x64\DirectConnect\DirectConnect6.0.cab|>DevIL_1.7.8.zip|>devil-1.7.8\configure Error 42125 {ZIP archive is corrupted.}
File F:\Downloads\Autodesk_Maya_2012_English_Japanese_Win_64bit.exe|>x64\DirectConnect\DirectConnect6.0.cab|>DevIL_1.7.8.zip|>devil-1.7.8\configure Error 42125 {ZIP archive is corrupted.}
Number of searched folders: 74560
Number of tested files: 3180456
Number of infected files: 0

Is this something I should worry about? The one that caught my attention is the logiLDA.dll, but it may be related to Logitech?

I don’t see any strange behaviour on my machine anymore, but do you think I should do any additional scans or should I feel safe about the virus being completely gone?

I hope someone can help - thanks :slight_smile:

follow the guide here and attach logs from OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

And probably this infection: https://www.virustotal.com/file/d0d0d53f66b400cb43b3019be9e5e49a9097458119eba8f18d27d9e7b4ac8d9b/analysis/
Do as Pondus asks you to do,

polonus

Thanks for your replies.

I have followed the guide, and as attachments you find the MBAM log, OTL and Extras logs together with the aswMBR log - I was unsure if I should run the Roguekiller mentioned in the guide, so I didn’t run it at this point.

Hope to hear from you :slight_smile:

edit: Polonus, you mean that’s the infection I had? Or is that another one you think I may have?

Do you have any comments to the logs? :slight_smile:

Essexboy will when he arrive…he is on UK time and usually arrive here late

Malwarebytes log is clean, aswMBR also seems to be clean… OTL is a bit more tricky to read and we need Essexboy for that one

I much prefer roguekiller myself as it gets them all

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\S-1-5-21-468330033-517367942-3064178841-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;127.0.0.1:9421; [2012-03-17 18:07:48 | 000,000,679 | ---- | M] () -- C:\Users\Tobias\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk [2012-03-17 18:07:45 | 000,000,344 | ---- | M] () -- C:\ProgramData\hrAhU4dPwhZJBl @Alternate Data Stream - 1112 bytes -> C:\Users\Tobias\AppData\Local\Temp:h0GOfHbNytptkeVyMP

:Files
ipconfig /flushdns /c
xcopy %Temp%\smtmp\1 “%AllUsersProfile%\Start Menu” /H /I /S /Y /C
xcopy %Temp%\smtmp\2 “%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch” /H /I /S /Y /C
xcopy %Temp%\smtmp\3 “%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar” /H /I /S /Y /C
xcopy %Temp%\smtmp\4 “%AllUsersProfile%\Desktop” /H /I /S /Y /C

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Thanks a lot for your reply essexboy - I ran OTL with your code and I have attached the log from the OTL quick-scan I did after that - I didn’t check “scan all users”, should I have done that? Also I’m not sure where the “Extras” log is located, if it did one, but maybe you don’t need it.

Also, it created a log after the “Run Fix”, do you need to see that too?

I hope it looks ok :slight_smile:

Yes if I could see that log please

Do you have any outstanding problems ?

I have attached the other log.

No, the system appears to be working normally - there haven’t been any issues after the things I did in order to try and remove the virus. But I’d like to feel a little more safe that it is actually completely gone and that my system is clean :slight_smile:

If all is well tomorrow let me know and I will remove my tools

Malwarebyte has been giving me a notification that it blocked something a few times related to skype.exe. Here is the notification:

Sucessfully blocked access to potentially malicious website: 83.128.88.219
Type: outgoing
Port: 49501, Process: skype.exe

You got any idea what this is?

That is an ISP next door to you in the Netherlands

Do you recognise the ISP ?

http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture-3.jpg

No I don’t know about that - I’m from Denmark so it’s not that close…

It appears to be another MBAM block the whole domain list… Is avast alerting on it ?

http://www.magic-net.info/black-list-checker.dnslookup?black=83.128.88.219&Check_RBL=Blacklist+check

I haven’t seen any avast alerts on that - but I did get a block from a website, can’t seem to find the logs from these blocks though…

What I also saw was another block from mbam, but that was another ip (it may be starting with 212 but really not sure) and the process seemed to be related with avast (maybe avastsvc.exe, but I may be wrong - couldn’t remember this name but a google search led me to the name)? I can’t remember the details of it exactly unfortunately, and I’m not sure if I can see it in any logs?

I haven’t been using mbam before, I just installed the trial in order to remove that system fix virus, so I don’t know if the alerts would have appeared before I got the system fix virus.

I know I should have remembered the details of these blocks, but well… :frowning:

I have had some experience with MBAM blocking Avastsvc getting updates. The blocks that MBAM appears to use are very broad brush, whereas web shield actually looks at the site before declaring it bad, it may be that Skype was just routing through that server to go somewhere else

There should be a log within MBAM to show which sites and which file

Okay - I hope it’s nothing that I need to worry about…

I found the log from mbam with the blocks - it was indeed avastsvc.exe. It shows up multiple times in the log with different ports - I wanted to attach the log, but it says my upload folder is full?

Here are some of the blocks (there are 4 in total of skype.exe and 13 of avastsvc.exe, they seem to appear at the same time, but with different port).

IP-BLOCK 83.128.88.219 (Type: outgoing, Port: 49501, Process: skype.exe)
IP-BLOCK 83.128.88.219 (Type: outgoing, Port: 49503, Process: skype.exe)
IP-BLOCK 83.128.88.219 (Type: outgoing, Port: 49504, Process: skype.exe)
IP-BLOCK 83.128.88.219 (Type: outgoing, Port: 49506, Process: avastsvc.exe)
IP-BLOCK 208.73.210.29 (Type: outgoing, Port: 52181, Process: avastsvc.exe)
IP-BLOCK 208.73.210.29 (Type: outgoing, Port: 52182, Process: avastsvc.exe)

Sucessfully blocked access to potentially malicious website: 83.128.88.219
Post a query on the MBAM forum web site about that IP address. They will usually respond in a short period of time.
IP-BLOCK 83.128.88.219 (Type: outgoing, Port: 49506, Process: avastsvc.exe) IP-BLOCK 208.73.210.29 (Type: outgoing, Port: 52181, Process: avastsvc.exe) IP-BLOCK 208.73.210.29 (Type: outgoing, Port: 52182, Process: avastsvc.exe)
Have you added the exceptions for Avast in MBAM Pro and in Avast for MBAM Pro as again stated in the MBAM forum?

See: http://forums.malwarebytes.org/index.php?showtopic=10138