Initially I noticed that Java had stopped working, throwing errors any time a Java program was opened. After attempting to reinstall it and restart the computer, at least one very visible virus was present, prompting me with messages that pretended to be an antivirus program.
I ran Spybot Search & Destroy, which removed this virus and its effects. However, another virus (or multiple) lingered on the system, causing interstitial ads when clicking website links.
AVG names two viruses, SHeur3.BIYC and Delf.TGE. It finds these viruses repeatedly, despite moving them to the virus vault.
All logs are below.
DDS log:
Code:
DDS (Ver_10-10-10.03) - NTFSx86
Run by Ben McAlpin at 15:40:30.31 on Tue 10/19/2010
internet explorer: 8.0.6001.18702
browserjavaversion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2353 [GMT -5:00]
AV: Antivirus *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
============== Running Processes ===============
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
E:\Program Files\Zmud\Zmud.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\IoctlSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trillian\trillian.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\AVG\AVG10\avgui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ben McAlpin\Desktop\dds.com
============== Running Processes ===============
Spybot S&D log for initial virus removal:
Code:
--- Report generated: 2010-10-15 03:24 ---
Fraud.Antivirus: [SBI $2919E597] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\AnVi
Fraud.Antivirus: [SBI $61681116] Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antivirus
Fraud.Antivirus: [SBI $7BE1C34F] Picture (File, fixed)
C:\Program Files\AnVi\about.ico
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $C2B42095] Picture (File, fixed)
C:\Program Files\AnVi\activate.ico
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $B3794BDE] Picture (File, fixed)
C:\Program Files\AnVi\buy.ico
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $45EEE5BB] Picture (File, fixed)
C:\Program Files\AnVi\help.ico
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $F51F32BB] Picture (File, fixed)
C:\Program Files\AnVi\scan.ico
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $02626465] Picture (File, fixed)
C:\Program Files\AnVi\settings.ico
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $0A960285] Picture (File, fixed)
C:\Program Files\AnVi\update.ico
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $4619B341] Picture (File, fixed)
C:\Program Files\AnVi\avt.db
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $D2C6E450] Sound file (File, fixed)
C:\Program Files\AnVi\splash.mp3
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $74303778] Executable (File, fixed)
C:\Program Files\AnVi\Uninstall.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $23E92FA5] Sound file (File, fixed)
C:\Program Files\AnVi\virus.mp3
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $B6E649D5] Data (File, fixed)
C:\Documents and Settings\Ben McAlpin\Local Settings\Temp\avt.dat
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $59B08D64] Data (File, fixed)
C:\Documents and Settings\Ben McAlpin\Local Settings\Temp\avtr.dat
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $D83577AB] Link (File, fixed)
C:\Documents and Settings\Ben McAlpin\Start Menu\Programs\AnVi\About.lnk
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $1E3F15BA] Link (File, fixed)
C:\Documents and Settings\Ben McAlpin\Start Menu\Programs\AnVi\Activate.lnk
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $9C01FC90] Link (File, fixed)
C:\Documents and Settings\Ben McAlpin\Start Menu\Programs\AnVi\Antivirus Support.lnk
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $CFA55AC0] Link (File, fixed)
C:\Documents and Settings\Ben McAlpin\Start Menu\Programs\AnVi\Antivirus.lnk
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $CD82E3CE] Link (File, fixed)
C:\Documents and Settings\Ben McAlpin\Start Menu\Programs\AnVi\Buy.lnk
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $62ECE999] Link (File, fixed)
C:\Documents and Settings\Ben McAlpin\Start Menu\Programs\AnVi\Scan.lnk
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $D9C2DE7B] Link (File, fixed)
C:\Documents and Settings\Ben McAlpin\Start Menu\Programs\AnVi\Settings.lnk
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $91F9A906] Link (File, fixed)
C:\Documents and Settings\Ben McAlpin\Start Menu\Programs\AnVi\Update.lnk
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $A05D7CA1] Program directory (Directory, fixed)
C:\Documents and Settings\Ben McAlpin\Start Menu\Programs\AnVi\
Fraud.Antivirus: [SBI $405A8027] Program directory (Directory, fixed)
C:\Program Files\AnVi\
Fraud.Antivirus: [SBI $4F1220C3] Link (File, fixed)
C:\Documents and Settings\Ben McAlpin\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus.lnk
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $DF28923E] Link (File, fixed)
C:\Documents and Settings\Ben McAlpin\Desktop\Antivirus Support.lnk
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.Antivirus: [SBI $21E969E1] Link (File, fixed)
C:\Documents and Settings\Ben McAlpin\Desktop\Antivirus.lnk
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Fraud.DefenseCenter: [SBI $400D394B] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start
Virtumonde.prx: [SBI $B6BF2145] Autorun settings (Ivehuneh) (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ivehuneh
Virtumonde.prx: [SBI $B6BF2145] Program file (File, fixed)
C:\WINDOWS\eqobuqaget.dll
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Win32.FraudLoad.ss: [SBI $A163FF72] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\f7c5da73-b4a5-4947-8f40-08f2871eb36b
Win32.FraudLoad.ss: [SBI $C932C2FA] Executable (File, fixed)
C:\Documents and Settings\Ben McAlpin\Local Settings\Temp\wscsvc32.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Win32.FraudLoad.ss: [SBI $E7792B98] Picture (File, fixed)
C:\Documents and Settings\Ben McAlpin\Local Settings\Temp\8892.tmp
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Win32.FraudLoad.ss: [SBI $E7792B98] Picture (File, fixed)
C:\Documents and Settings\Ben McAlpin\Local Settings\Temp\asd2C.tmp
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Win32.FraudLoad.ss: [SBI $E7792B98] Picture (File, fixed)
C:\Documents and Settings\Ben McAlpin\Local Settings\Temp\asd2D.tmp
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Win32.FraudLoad.ss: [SBI $E7792B98] Picture (File, fixed)
C:\Documents and Settings\Ben McAlpin\Local Settings\Temp\dceb.tmp
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Win32.FraudLoad.ss: [SBI $E7792B98] Picture (File, fixed)
C:\Documents and Settings\Ben McAlpin\Local Settings\Temp\e008.tmp
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Win32.FraudLoad.ss: [SBI $E7792B98] Picture (File, fixed)
C:\Documents and Settings\Ben McAlpin\Local Settings\Temp\e0d3.tmp
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Win32.FraudLoad.ss: [SBI $E7792B98] Picture (File, fixed)
C:\Documents and Settings\Ben McAlpin\Local Settings\Temp\e20c.tmp
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Win32.FraudLoad.ss: [SBI $E7792B98] Picture (File, fixed)
C:\Documents and Settings\Ben McAlpin\Local Settings\Temp\jar_cache1777189214900526169.tmp
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Win32.FraudLoad.ss: [SBI $E7792B98] Picture (File, fixed)
C:\Documents and Settings\Ben McAlpin\Local Settings\Temp\jar_cache7578204596435630288.tmp
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Win32.TDSS.rtk: [SBI $DFD725CE] Library (File, fixed)
C:\WINDOWS\PRAGMAnseoriyusp\PRAGMAc.dll
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Win32.TDSS.rtk: [SBI $C13C1A61] Data (File, fixed)
C:\WINDOWS\PRAGMAnseoriyusp\PRAGMAcfg.ini
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Win32.TDSS.rtk: [SBI $D12A7E8E] Data (File, fixed)
C:\WINDOWS\PRAGMAnseoriyusp\PRAGMAsrcr.dat
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Win32.TDSS.rtk: [SBI $C116A1D2] Data (File, fixed)
C:\WINDOWS\Temp\PRAGMAb3b7.tmp
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-07-09 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-06-29 Includes\Adware.sbi (*)
2010-10-12 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-09-22 Includes\Dialer.sbi (*)
2010-10-12 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-10-12 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-08-02 Includes\Keyloggers.sbi (*)
2010-10-12 Includes\KeyloggersC.sbi (*)
2010-09-13 Includes\Malware.sbi (*)
2010-10-12 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-10-12 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-10-12 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-06-29 Includes\Spyware.sbi (*)
2010-10-12 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-08-04 Includes\Trojans.sbi (*)
2010-10-12 Includes\TrojansC-02.sbi (*)
2010-10-12 Includes\TrojansC-03.sbi (*)
2010-10-12 Includes\TrojansC-04.sbi (*)
2010-10-12 Includes\TrojansC-05.sbi (*)
2010-10-12 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
AVG Virus Vault info:
Code:
"Infection";"Trojan horse SHeur3.BIYC";"c:\WINDOWS\Temp\mqxt.tmp.exe";"N/A";"10/18/2010, 6:53:04 PM"
"Infection";"Trojan horse Delf.TGE";"c:\WINDOWS\Temp\ksqv.tmp.exe";"N/A";"10/18/2010, 6:53:05 PM"
"Infection";"Trojan horse Delf.TGE";"c:\WINDOWS\Temp\ksqv.tmp.exe";"N/A";"10/19/2010, 8:31:12 AM"
"Infection";"May be infected by unknown virus Win32/DH.CAFF840167";"c:\System Volume Information\_restore{C2E7D54B-DA71-4B89-B5B4-13BBC369CAF7}\RP580\A0036409.dll";"N/A";"10/19/2010, 8:31:12 AM"
"Infection";"Trojan horse SHeur3.BIYC";"c:\WINDOWS\Temp\mqxt.tmp.exe";"N/A";"10/19/2010, 8:31:12 AM"
"Infection";"Trojan horse Delf.TGE";"c:\WINDOWS\Temp\ksqv.tmp.exe";"N/A";"10/19/2010, 3:29:57 PM"
"Infection";"Trojan horse SHeur3.BIYC";"c:\System Volume Information\_restore{C2E7D54B-DA71-4B89-B5B4-13BBC369CAF7}\RP580\A0038415.exe";"N/A";"10/19/2010, 3:29:57 PM"
"Infection";"Trojan horse SHeur3.BIYC";"c:\WINDOWS\Temp\mqxt.tmp.exe";"N/A";"10/19/2010, 3:29:57 PM"
"Infection";"Trojan horse SHeur3.BIYC";"c:\WINDOWS\Temp\mqxt.tmp.exe";"N/A";"10/19/2010, 3:54:03 PM"
"Infection";"Trojan horse Delf.TGE";"c:\WINDOWS\Temp\ksqv.tmp.exe";"N/A";"10/19/2010, 3:54:03 PM"
DDS did not produce any attach.txt file for me to attach. The file dds.txt never opened either, but I was able to retrieve it by searching my computer for the filename (it was in the recycle bin, for some reason). I searched my computer for attach.txt and found nothing.
I tried both the .com and .scr versions of DDS and they both had the same result. I am running Windows XP. Not sure if DDS just isn't working, or if the virus is somehow blocking its files from opening after it runs.