PDA

View Full Version : Virus stops anitvirus and redirects urls



mythosis
2009-11-06, 02:33
Had a problem with a virus. I fought most of the past 3 days straight on this thing and think I have it fixed now, mostly thanks to topics of what appears to be the exact same thing on this forum, but I would like an expert's opinion, as I am far from such when it comes to... whatever kind of virus this was/is.

That said, here is the info I know about it of the top of my head (as I've been fighting this thing for almost 3 days straight):

Quick Summery:
Virus starts processes, one of which eats mem and cpu like crazy
Search links are automatically redirected upon click
Antivirus and similar programs become unusable/undeletable


How I got it:
- Downloaded a game, or what I thought was a game. I wasn't really paying attention and only noticed after I opened it that it was a ".exe" file. (I normally scan these with multiple anitvirus prior). Just my luck. :)

Immediate Reactions:
1. Basic Research
- Within seconds, the file disappeared (this is when I knew it was bad). I opened task manager and these programs which I have never seen before were running: "a_exe" "b_exe" "c_exe" "mbs.exe"
- - The first 3 ran in sequencial order, closing before the next one began, until it stopped on c_exe. They were all user processes, taking virtually no cpu and very little memory, except for mbs.exe. That one was 99% cpu constantly and ranging from around 100,000K to 200,000K mem usage.
- I immediately ended these processes and searched online for such processess from "http://www.tasklist.org/". They weren't listed.
I noticed that mbs.exe reopened somewhat periodically if ended, and c_exe ran only on startup. Using a program (Startup Delayer) I removed c_exe from starting, but mbs.exe I'm afraid I don't remember what I did to stop from reopening.

2. Antivirus
At the time I had Ad-Aware, AVG, and Spybot. I ran Ad-Aware first, only to find it wouldn't run. It gave a message:
"Couldn't load the resource manager."
I proceeded to unistall (add or remove programs) and opened ie to get a fresh copy. Going through yahoo's homepage, I searched for "Ad Aware". It was the top link, but when I click it, my url was redirected. This continued happening with that link and other links (although I tried the same search from my avg search toolbar and those same links wouldnt redirect) to rediect to 1 of I believe just 3 different sites. The url would immediately change to a search engine site (such as "http://www.google.com/" and then rest on the targeted url site after that). I got around this just clicking the 'catched' links, and proceeded to freshly download Ad-Aware. Upon installing, I was alerted that Ad Aware still existed on my computer, so I rechecked add/remove programs and opened the my programs files folder after. Sure enough it was still there. The processes for adware weren't running, so I attempted to rightclick-delete the entire folder (lavasoft) but it wouldn't let me. I dragged the folder out and on to my desktop, where then I could delete it, making sure it was out of program files, then installed my fresh copy. Ad-Aware automatically started afte install. I updated it, and ran a scan... The scan ran for about 2 minutes, then the program suddenly terminated and could no longer be run again. It was giving the same error as before.
I repeated to try AVG and Spybot with the same results (except the error was: "Windows cannot access the specified...")
At some point I was able to manually search (based off a scanner that showed the files infected locations before terminating) to remove 2 infected files ("mba.exe" "mbb.exe" though not sure if thats right).

3. Antivirus Fails, What Next?
First? Researched access rights (follow the error lead) and attempted some suggestions (such as folder ownership). No change. So I gave up the hope of it being a simple matter and began more drastic measures.
System Restore. To a point about 2 months ago (to a time known to be virus-free). Booted in safe mode to be sure. Freshly redownloaded the 3 mentioned programs and installed, with the same outcome.

4. New Programs
I asked my dad for help. :) He suggested a few programs and inspected the errors first hand. Somewhere there was one that said something about a missing dll file. He said "registry".
Heres a list of the programs I attempted to use. They all ran the first time, but suddenly terminated at some point durring the scan (one being already 3 hours into it :hair:) and then refused to run again. Reboots and safe mode were uneffective too:
Ad-Aware
AVG
Spybot
Malwarebytes
GMER (used the random file name install)
HiJackThis
SuperAntiSpyware
ComboFix (different kind of error. researched and found a fix.)

PC Pitstop Exterminate (trial version, actually the only one that didnt self terminate, but still only ran once)
AntiVir PE (I did not run a scan, so it is still fully functional)

5. Find Some One With The Same Problems
I'm very stubborn. And since I really don't have anything on this computer except my games and protection tools, I'm not afraid to reinstall windows. That said, I found these topics and acted based off suggestions from these:
http://forums.spybot.info/showthread.php?t=53103
http://forums.spybot.info/showthread.php?t=53010
http://forums.spybot.info/showthread.php?t=50826
which is how I came across GMER, HiJackThis, ERUNT, and ComboFix


ComboFix -> combined with info from AntiVir PE's Live Guard alerts to pin point the cause of ComboFix not running. Was able to find a fix (not sure how sorry). When able to run finally, it needed to reboot the system a total of 3 times, and reloaded the user settings many more times. but ultimately, was able to fix (i hope) the issue. I was able to run (freshly installed) HiJackThis after that.

Just before posting, did the folowing:
MalwareBytes (fresh dl/install) Quick Scan:
9 registry
4 other
detected and removed. malwarebytes still operable.

AVG (fresh dl/install) full scan:
73 (all cookies and previous firefox extentions)
removed. still operable.

lingering files (unable to delete, non-running)
HiJackThis.exe (desktop)
ljj9cm14.exe (GMER - Desktop)
Ad Aware (add/remove programs - folder non existant in program files. AdAware cannot reinstall untill removed.)

So... without further spam.... Heres the logs...


Edit: Removed CF and Gmer logs, not to be posted unless requested
Do NOT run 'FIXES' (ComboFix etc) without being asked (http://forums.spybot.info/showthread.php?t=16806)


HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:09 AM, on 11/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\Dan\Desktop\Tools\ANTIVI~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (file missing)
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Documents and Settings\Dan\Desktop\Tools\AntiVirus\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150600.exe -Update -1150600 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://y8.com/games/Street_Sesh_2_Downhill_Jam"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\Dan\Desktop\Tools\ANTIVI~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\Dan\Desktop\Tools\ANTIVI~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246571035156
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-beta/OnlineScanner.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8578 bytes



Couple questions:
I thought processes in task manager always used ".exe" or similar. Is it normal to end in "_exe"?
Can you recommend a program or guide for removing files that cannot be unistalled/deleted/renamed via traditional methods?
I want to make sure this thing is done with. Whats my next step?

All help appreciated,
- Daniel
-------------------------------------

Please note that all instructions given are customized for that member's computer only, the tools used may cause damage if run on a computer with different infections. Your symptoms may only appear to be similar. Regardless, please do not take fixes given to another user and apply to your own machine. "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)