terrible virus

I have some kind of virus which has locked me out of all antivirus programs. I can’t use them, and can’t install any anew.

I am unable to boot up in safe mode.

I’ve never experienced anything quite this severe.

I did a malware scan online of the application which I believe is responsible for this. And within that application were found:

PUA.Packed.Themida

and

Backdoor.VB.EV

Shutting down my computer which is very slow I sometimes see the following processes:

Sunkist.notifycondata

and something like “babyscnr”

Can you run on-line scanners?
Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
AVGas (does not necessary if you have AVG antispyware installed)
F-Secure
BitDefender (free removal of the malware)

online scanners don’t seem to work either. I’ve tried several. They just keeping cycling forever at the “downloading and installing onto your computer” stage.

Also, when I try to run or install an anti-virus program I get a message of this sort… here is the one I got trying to install AVG:

“action failed for file avgamsvr.exe starting service %1 is not a valid win32 application”

trying to run any antivirus program also gives me the message “not a valid win32 appliaction”

Let’s try these in the order posted. Please post the logs from each if you can get them to run. You can attach them by using the additional options button on the reply page.

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press “Enter”.
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically ‘C:\SDFix’) Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[*]If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to “Always ask me where to Save the files”.

[*]During the download, rename Combofix to Combo-Fix as follows:

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

[]It is important you rename Combofix during the download, but not after.
[
]Please do not rename Combofix to other names, but only to the one indicated.
[]Close any open browsers.
[
]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix


[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Hi. Thanks a lot for your helpful post!!
I just want to let you know I did a few things before I found your post. First I was not able to boot into safemode. It seems the virus had altered my registry. But I found a fix for this.
When I first went into safemode (before reading your post) I found and deleted the following files:
srosa.sys
hldrrr.exe
mdelk.exe
and a folder in my drivers folder called “downld” which contained a bunch of applications with number-names like 23445422 which I suspected was part of a Trojian.
I then did an avast bootscan. Avast found 2 or 3 things.
I have no idea if what I did was completely effective. When I got back I was able to install the AVG antivirus. But other anti-virus programs were still giving me the “not a valid win32 application.”
I sitll notice slowness and other things with my computer, which makes me think I am still infected.

I followed the instructions in your post, and was able to do everything you suggested. I will post the logs in my next message.

Combofix and SDFix logs

hijack this log

Hi velivolus,

Did you use tbot 0913 at some time, this invokes this
Backdoor.VB.EV
Type Malware
Type Description Malware (“malicious software”) consists of software with clearly malicious, hostile, or harmful functionality or behavior and that is used to compromise and endanger individual PCs as well as entire networks.
Category Backdoor
Category Description A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user’s knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.
Level High
Level Description High risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.
Advice Type Remove
Release Date Feb 20 2007
Last updated on Mar 4 2008
File Traces
dd5d9fd25ccd43faf71bede9852d4e87.exe

polonus

You got lot of it removed. You also have multiple antivirus programs installed. Disabled is not enough. Choose one and uninstall the other.

AVG7
Avast4

There was some clamAV, Avira, symantec.

Please submit these files for analysis

To submit a file to virustoal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\Documents and Settings\Owner\Local Settings\Temp\generator.exe
C:\WINDOWS~GLC0000.TMP

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

There’s some files I’m hving trouble identifying. We’ll try to clear some of the obvious now.

Please follow all previous instructions regarding security programs.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

RenV:: C:\Program Files\JGsoft\EditPadPro6\editpadpro what .exe

File::
C:\Program Files\cqwydcgt.exe

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Please download Malwarebytes’ Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

oldman,

thanks a lot for your continuing help! I appreciate it.

The avira and symantec stuff looked to be just empty folders from when I uninstalled them in the past.

“generator.exe” was no longer there for some reason.
but the file beneath it I submitted and it got no result from any scanner.

I am now attaching the new combofix log and also the malware log for you to look at. (the last says “no action taken” but that is because I printed the log before deleting the items.)

To correct avast working, you should get rid of Norton:

  1. Remove NAV through Add/Remove programs from Control Panel. Boot.
  2. Use Norton Removal Tool for Windows 2000/XP/Vista. Boot.
  3. Install avast! (or repair the installation) and boot.

and Avira too, after you use Add/Remove, you should use Avira Antivir RegistryCleaner as well as the appropiate “Uninstallation Package”, both of which can be found at: www.avira.com/en/support/av7_upgrade_tools.html

Also, Avira AntiVir 6 RegistryCleaner: http://www.avira.com/en/support/support_downloads.html.

Hi, sorry about not posting the safe mode fix, I thought I had, but you found it on your own.

Please follow DavidR’s and Tech’s advice regarding symantec and Avira

the appropriate version tool can be found here if Tech’s link doesn’t cover the version you had.

http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

I researched the files and came up with answers at both ends of the spectrum. To err on the side of caution I am going to advice you to use a known clean computer, not the infected one and change all your passwords you use to log into anywhere on the internet.

We will have to do some investigating on our own.

Please submit these files for analysis

To submit a file to virustoal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)


C:\WINDOWS\system32\smab.dll
C:\WINDOWS\system32\ss.drv
C:\Program Files\serial.tde
C:\Program Files\nacurva.bmp

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

Now for some hands on investigation.

At the top of windows explorer, click tools, folder options, click the
view tab

check Display the contents of system folders
check Show hidden files and folders
uncheck “Hide extensions for known file types” box
uncheck “Hide protecting operating system files” box

Find these files annd right click on them, select properties. Please post as much info as you can find on all the tabs.

If a file comes back from virustotal as infected by a high number of scanners, don’t bother with that one.

I will give you as much info as I have

[b]2006-07-23 18:10 484,522 --sha-r C:\Program Files\serial.tde
2006-06-05 21:43 127,412 ----a-w C:\Program Files\nacurva.bmp

2005-12-23 03:23 816,640 --sha-r C:\WINDOWS\system32\smab.dll
2007-01-16 03:54 220 --sha-w C:\WINDOWS\system32\ss.drv

[/b]

I realize some have very old dates. But like I mentioned, sometimes they where removed, other times not.

My system seems to be functioning pretty well since the last run of Combofix and Malaware. And AVG, which I have running now, has not detected anything new.

One strange thing that has happened is that on one of my last reboots, I believe after running ATF Cleaner (I don’t know if that is the cause, or just a coincidence in timing) I can no longer access my hotmail account from either Firefox or IE. IE tells me to “enable cookies” and even though I have followed all instructions for doing so I keep getting that message. Firefox just cycles with the message “loading” but it never loads, and tell me to enter in “classic mode” if it’s taking to long. However, if I do enter in classic mode I get the mailbox screen but can’t do anything. No buttons will work, can’t access my mail. It’s like I get a “frozen screen” or am looking at a “snapshot.”
I’m able to access hotmail from my laptop, so I know it’s something specific to this system. Could emptying all cookies using ATF cleaner have something to do with it?

Regarding changing all passowrds: it would be a full day’s work for me! Would I be able to get away with changing passwords just for most important websites, or do you feel complete change of all is necessary?

Will post results from scans you requested as soon as I’m able.

Thanks.

Would I just change the locks on my front door and not bother with the back door or consider the windows. I would change them all, yes it might take time, do the important ones first and progress through the other passwords on a lessor priority (a few a day, etc. it won’t take long).

DavidR is right about the passwords. I don’t know for cerain if you have those particular trojans, but when I come across a thread where those files with the same date and size are removed and that warning issued, I pass it on. As said, it’s better to err on the side of caution.

Atf may make your system boot a little slower the first couple of times, but the cookies should be replaced. I dump mine from time to time and the only difference is, I have to relog into some sites, as the setting is set by a cookie. Does AVG have any cookie blocking capabilies?

I got the following results from Virustotal, for two of the files you wanted me to scan:

Smab.dll - 1 detection

Sunbelt: VIPRE.Suspicious

Serial.tde

Athentium: not scanned (encrypted)
Fortinet: Dloader.Q!tr
F-prox4: File is encrypted
Microsoft: password protected
NOD32v2: Error - password protected file

I looked up info on the other files which had 0 results with Virustotal and found:

Nacurva.bmp : Bitmap image, opens with windows picture viwer, accessed June 06, 2006

ss.drv: device driver, opens with unknown app, accessed: January 15, 2007

No, the AVG I’m running doesn’t seem to have any cookie blocking capabilities. It’s just the free version, with virus scanner, no web capabilities I know of.

I have no idea why I’ve lost the ability to access my hotmail account from this computer! Also find it strange that even after following the instructions for enabling cookies with IE, it is still telling me I need to enable cookies if i want to access my hotmail account!

I am able to get online with Windows Live Messenger fine. So I know it’s not my whole MSN account that’s affected; it’s just hotmail that’s giving me the problem.

AVGas can detect infected/tracing cookies.