Virus on my brother's computer

Hi everyone!
My brother was playing with a known safe game when avast! popped up: “Malicious Code Blocked”
It was a file inside another ending with “.script”. I ran a scan with MBAM in safe mode - nothing. Now I’m running a full system scan in normal mode. Online Armor caught a file in C:\Windows with a random name (IS_…) or something like this. I blocked it and a dll wanted to remotely control explorer.exe - I blocked it and terminated. It somehow started again and Online Armor asked to block it. I blocked it and told OA to “remember and terminate”.

Oh… and the process was: “PID 4”. I started task manager and Windows gave a blue screen - crashed

So what should we do? I’ll report back if MBAM finds something.

Thank you very much - and please be quick!

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is too large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in


%USERPROFILE%..|smtmp;true;true;true /FP
%SYSTEMDRIVE%*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

It’s running. I’ll attach the log when it finishes.

It finished. Log attached!

OK lets remove them - I will be zipping the files could you upload the following zip file to mediafire (link in my first post) C:_OTS\moved files

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY ->  is-61H96.exe -> C:\WINDOWS\is-61H96.exe
NY ->  is-61H96.msg -> C:\WINDOWS\is-61H96.msg
NY ->  is-61H96.lst -> C:\WINDOWS\is-61H96.lst
NY ->  edcf4 -> C:\Documents and Settings\All Users\Dokumentumok\edcf4
[Files - No Company Name]
NY ->  is-61H96.exe -> C:\WINDOWS\is-61H96.exe
NY ->  is-61H96.msg -> C:\WINDOWS\is-61H96.msg
NY ->  is-61H96.lst -> C:\WINDOWS\is-61H96.lst
NY ->  edcf4 -> C:\Documents and Settings\All Users\Dokumentumok\edcf4
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[ZipFiles]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Ok it did it’s job.
Log attached!

What problems now ?

Could you upload the zip file please so that it can be forwarded to Avast

After reboot the BIOS said “Bad disc.”. I removed my pendrive and the system started normally. The computer is turned off. We’ll test it and upload the zip tomorrow.


EDIT #1:

  • I’ll re-configure the browser (Firefox) and install some additional plugins to protect it. Thanks to OA for preventing the virus from auto-start :slight_smile:


EDIT #2:

  • 2 days ago avast! Network Shield popped up with an incoming “LSASS Exploit (SXP)” on “TCP 445” (the RPC Locator - you know). I closed the 445 and the 135 (DCOM) ports using WWDC. Do I have to do anything else?

(Yesterday we killed the virus - 2 days before this: my brother got an LSASS Exploit)

  • Additional info: the virus that avast! caught is: AutoIt:Balero-B [Wrm] - in: “C:\Documents and Settings\All Users\Documents (Dokumentumok)…”. File name: cqzzvd.exe (if this can help you)
    It was made by that thing we killed yesterday. Another thing in the chest: SOUNDMAN.EXE - Win32:Malware-Gen - Y: 2011 M:07 D:10 - C:\Windows\

And… where should I upload the zip with the virus?

Thank you very much!
I’ll report back tomorrow.

Looks like everything is O.K. for now. I hope it won’t come back.

Thank you very much for helping us.

It came back. The same cq… exe was blocked by avast!

Help please!

That is a new one one - are you downloading anything ?

Could I have a fresh OTS please

Okay, we will run it tomorrow. Oh… and it is accessed by the “System” process - PID 4.

Avast! quick scan didn’t find anything. Just popped up with Malicious Code Blocked: the filename, Win32:Balero-B (Wrm), quarantined, PID 4.

Well, he didn’t download anything as he doesn’t like downloading programs or other things.
I think he could get it from a pop-under he didn’t notice… he doesn’t visit many websites, only known safe sites - green by WOT.

I’ll continue working on it tomorrow, it’s late… :confused:

PID just relates to process memory

Oh… O.K.
We’re starting OTS. I’ll post the log when it finishes.

— EDIT #1
Log attached…
— EDIT #1

— EDIT #2
I just did an aswMBR scan, and it found 3 locked things…
aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-03 14:21:02

14:21:02.515 OS Version: Windows 5.1.2600 Szervizcsomag 3
14:21:02.515 Number of processors: 1 586 0x2F02
14:21:02.515 ComputerName: ZOLI UserName:
14:21:13.828 Initialize success
14:21:16.328 AVAST engine defs: 11080201
14:21:20.468 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\00000075
14:21:20.468 Disk 0 Vendor: ST3802110A 3.AAJ Size: 76319MB BusType: 3
14:21:22.546 Disk 0 MBR read successfully
14:21:22.546 Disk 0 MBR scan
14:21:22.703 Disk 0 Windows XP default MBR code
14:21:22.734 Disk 0 scanning sectors +156280320
14:21:22.890 Disk 0 scanning C:\WINDOWS\system32\drivers
14:21:53.656 Service scanning
14:21:54.718 Service FXDRV D:\Fxdrv.sys LOCKED 21
14:21:55.531 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys LOCKED 32
14:21:55.625 Service vsdatant C:\WINDOWS\System32\vsdatant.sys LOCKED 32
14:21:56.203 Modules scanning
14:22:19.906 Disk 0 trace - called modules:
14:22:20.250 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll sfsync02.sys nvatabus.sys sptd.sys
14:22:20.250 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x82c96030]
14:22:20.250 3 CLASSPNP.SYS[f84effd7] → nt!IofCallDriver → \Device\00000077[0x82ca0710]
14:22:20.265 5 ACPI.sys[f824e620] → nt!IofCallDriver → \Device\00000075[0x82c50030]
14:22:20.515 AVAST engine scan C:\WINDOWS
14:22:26.234 AVAST engine scan C:\WINDOWS\system32
14:24:25.578 AVAST engine scan C:\WINDOWS\system32\drivers
14:24:42.546 AVAST engine scan C:\Documents and Settings\Gera Zoltán
14:25:50.046 AVAST engine scan C:\Documents and Settings\All Users
14:27:02.046 Scan finished successfully
14:28:11.750 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Gera Zoltán\Asztal\MBR.dat”
14:28:11.781 The log file has been saved successfully to “C:\Documents and Settings\Gera Zoltán\Asztal\aswMBR.txt”

And… I started a boot time scan - I saw the statistics, it caught the virus 2 times today - with a different file name… (same autoit.script)
— EDIT #2

Those locked items are ZoneAlarm, Daemon tools and FXDRV.SYS is Foxconn Diagpro WDM driver

OK lets look at the drivers next

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.

As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RC1.png

[*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

[*]Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

OK. We’ll run it tomorrow and post the logs.

Looks like it deleted 2 files, I hope it’s over…
Here you are (log attached)

We’ve got good news. Today, before my brother turned off his computer, I took a look at the File System Shield: Scanned files/Infected files: ~1000/0!!. Looks like ComboFix caught that virus. We’ll test the computer for two more days to be sure that it’s gone. I’ll tell the results :slight_smile:

Oh, and I’ll upload the zip with the other virus - could this “AutoIt:Balero-B” worm serve the other one? - That “is-…”'s name was Setup/Uninstall (Fake software!?).

Thank you very much, essexboy!

Let me know tommorow how it is running and if all is good I will remove my tools

Looks like everything is OK. Thank you very much, again :slight_smile: