1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Internet worm I-WORM/VB.FZ and other pesties

Discussion in 'Virus & Other Malware Removal' started by swarint, Dec 20, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. swarint

    swarint Thread Starter

    Joined:
    Feb 20, 2007
    Messages:
    127
    Hello friends,

    Please help and adv suggestions.

    Firstly the pesty number 1:eek:
    - I-WORM/FB.FZ refuses to leave my HD.

    It is multiplying in all folders and files with .exe. My AVG detects it and heals it but it comes back again and again. The problem has somewhat slowed down since I used Vundo but it is still there.

    I have also used Super Ant Spy ware but no effect. I use Firefox 2 0 0 11 mostly.

    Secondly pesty number 2 :mad:which automatically starts my IE 7 with the nasties from
    www.hopelessromantic.com

    This happens ever so often and it chokes my CPU.Seems my browser is hijacked ?? and I have blocked this site umpteen times under OPTIONS>TOLLS>PRIVACY
    but god knows how it bypasses the filtering.

    Please see attachment for AVG results.

    Kindly suggest some remedies. Tanks a lot folks. Cheers:)
     

    Attached Files:

  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Go to here and download 'Hijack This!' self installer.
    Save it to the desktop or other suitable place. DO NOT just press run from the website
    Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu.
    Click on the entry in start menu to run HijackThis
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
     
  3. swarint

    swarint Thread Starter

    Joined:
    Feb 20, 2007
    Messages:
    127
    Thanks a lot bro for your help.(y)
    Frankly not tried this out yet, but I will
    REASON is prior to yr reply I ran a Vundofix and it sorted this problem but now there is a new pest to tackle.
    Some pesty:mad: is creating a new folder in all folders/sub folders, same size, details etc. Am enclosing attachment for your attention.
    Any suggestions pls ?:)
    I dare not do anything extra, would hate to have a crash.
    And wish yu all folks a merry xmas:)
    Cheers
     

    Attached Files:

  4. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    I would post the Hijack This log so we can at least see how advanced this infection has gotten
     
  5. swarint

    swarint Thread Starter

    Joined:
    Feb 20, 2007
    Messages:
    127
    Here we are with the hijack log, kindly give your comments as system is going haywire totally.
    Now I see peskie-

    IM-WORM32. SOHAN.AM

    UNABLE TOP OPEN DRIVE C OR D

    'NEW FOLDERS' being created in all drives>folders>sub folders

    unable to run any commands on 'run'

    Troajn Remover says something about disabled features like 'run', task manager...... disabled regedit etc

    I quote the hijack log-

    Logfile of HijackThis v1.99.1
    Scan saved at 9:53:56 AM, on 12/27/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\SSVICHOSST.exe
    C:\Documents and Settings\star\Desktop\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    F2 - REG:system.ini: Shell=Explorer.exe SSVICHOSST.exe
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Free Upload Manager] "C:\Program Files\Free Download Manager\fum\fum.exe" -autorun
    O4 - HKCU\..\Run: [Free Uploader Oe Integration] C:\Program Files\Free Download Manager\FUM\fumoei.exe
    O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSVICHOSST.exe
    O4 - Startup: Startup.exe
    O4 - Global Startup: Startup.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1196145180015
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{78E76CA1-C4BF-4A9D-9B6F-15C4056CB414}: NameServer = 203.197.12.30,172.31.6.5
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9970DEEC-45EB-46C3-B97C-7EB064902BCF}: NameServer = 203.197.12.30,172.31.6.5
    O17 - HKLM\System\CS1\Services\Tcpip\..\{17DEF470-41B0-44F6-8D08-FF082AF48EF2}: NameServer = 203.197.12.30 202.54.1.18
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

    P.S.
    If I may add Comodo says continuously about unknown files being tried to load on system like-

    F2 - REG:system.ini: Shell=Explorer.exe SSVICHOSST.exe

    AutoRun. F .ini scanned by AVG



    Thanks a ton for your time and effort. Cheers


     
  6. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    You are quite infected

    Please do this next:

    Download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    --------------------------------------------------------------------
    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • ...
    --------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
     
  7. swarint

    swarint Thread Starter

    Joined:
    Feb 20, 2007
    Messages:
    127
    So sorry bro delayed reply.

    Its been a bad week.
    The system slowed down to a snails pace, well slower than a snail. .)

    Firstly i managed to run ComboFix after 7 or 8 tries, and when it eventually did, it took hours meaning system heavily infected. So much so my DVD Writer takes hours to write a 4.7 GB disc.

    And then when I was ready to transmit,my ISP took a days holiday. Anyway better late than never here they are for your attention. I am sending 2 hi jack reports, first one was with AVG on, other without. Hope no confusion.

    Will wait for your feedback, thx a ton for your help.
    Cheers bro
     

    Attached Files:

  8. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    I will be honest, you have a lot of bad stuff going on there.
    I want to get another security guru opinion to see if this system can even be salvaged or maybe a format is just the best option.
     
  9. swarint

    swarint Thread Starter

    Joined:
    Feb 20, 2007
    Messages:
    127
    OK thanks, will wait for your reply and do a re format if need be. A very happy new year to yu all. Cheers
     
  10. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    This was discussed between myself and quite a few other Security malware fighters.
    We do feel a format and reinstall would be best. You are okay with that?
     
  11. swarint

    swarint Thread Starter

    Joined:
    Feb 20, 2007
    Messages:
    127
    Bro do you believe in miracle salvaging ?? Well I for one do. Why ?
    Because I managed to salvage my HD, with a lot of help from my friends here(y) and other Forums on the NET.
    If I may share my experience with others here pls.
    The PC like you said was a GONNER, lucky if it would even start so I said to myself there is nothing to loose so lets experiment, if all goes wrong we will need a full format anyway.:p
    So lets see what I tried
    got started with a WINXP disc to repair the OS
    it took hours to do a run, finally
    I cud see my Partitions again with lot of pesties, any case backed up full data and did a restore to max days which were available. System came a little faster now.
    Then heaven knows how many programmes I ran, most of them good and free ware like
    Vundo, Combo Fix, a squared, Xsoft spy, Norton Anti bot, CC cleaners,AVG etc.

    The best detective was the Comodo Personal Firewall which immediately detected or rather gave a clue on what was the main reason for this mess. It alerted me for sure.

    There was a malware in a trusted software which I had loaded and which had a TROJAN embedded in it. Comodo was also giving the IP add of this pest when I was being attacked again and agin and the give away was his spelling in the attack code......used MESSENGGER in his exe attack.
    This Troajan disabled my Task Manager and RUN commands.

    REF ENTRY was spotted hidden in the REGISTRY. I used SE ADWARE REG ENHANCER to locate this entry AND DELETED IT. Also uninstalled the software which was a suspect.
    And bingo all the attacks stopped there on.
    The OS is faster than ever and I burnt a DVD DATA of 4.7 gb in 4 MINS FLAT.

    For sake of good order I am not a Techie and the process which I ran to rectify is brief but it was well worth. I will say I am 95 per cent safe now, all the same I am sending you latest ComboFix and HI Jack log, pls have a look and give some feedback.Thx a ton
    P.S.
    In all this I lost Winamp, VLC,Winrar, MediaInfo, and Total Video configuration but they were re loaded and they are running again.
    Cheers folks...:)
     

    Attached Files:

  12. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    I surely admire your tenacity! :)
    Mainly I wanted to steer you clear of having to put yourself through all of that!

    It's not clean though. We're gonna remove the obvious baddies now.
    BUT - there are a ton of dodgy looking files remaining that should be analyzed ASAP.

    1. Please download The Avenger by Swandog46 to your Desktop.
    • Click on Avenger.zip to open the file
    • Extract avenger.exe to your desktop

    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, start The Avenger program by clicking on its icon on your desktop.
    • Under "Script file to execute" choose "Input Script Manually".
    • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    • Click Done
    • Now click on the Green Light to begin execution of the script
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger¬ís actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply.

    Rescan with Hijack This, close all browser windows except Hijack This, put a checkmark beside these entries and click fix checked.

    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll

    Reboot and post another Hijack This log please.
     
  13. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    As for the dozens of dodgy files, I am showing them to other Gold Shield/Security techs here and we are gonna see what the next plan of action should be.
     
  14. swarint

    swarint Thread Starter

    Joined:
    Feb 20, 2007
    Messages:
    127
    I am always ready to execute whatever you may guide me, and on the way I also manage to learn new things, this field is simply huge so pls help in whatever way yu and your Team can. Thx a ton.
    OK here is what I got from Avenger when I pasted all the text viz

    C:\WINDOWS\system32\guard32.dll
    C:\WINDOWS\system32\test1.exe
    C:\WINDOWS\system32\SCVHSOT.exe
    C:\WINDOWS\system32\nhatquanglan18.exe
    C:\WINDOWS\system32\SSVICHOSST.exe.vir
    C:\WINDOWS\System32\vqjbi.exe
    C:\SSVICHOSST.exe
    D:\SSVICHOSST.exe
    E:\SSVICHOSST.exe
    F:\SSVICHOSST.exe

    It asked me ' ARE YOU SURE YOU WANT TO EXECUTE COMMANDS IN THE SELECTED SCRIPT '
    I said yes OK,
    and the answer is as attached.

    Pls tell me if I have to run this in SAFE mode because I ran it NORMAL mode ?
    And common observation is that -
    the biggest pestie which has been all over in my PC, Is by the same guy who was trying to get in via the embedded trojan. It had this SSVICHOSST.EXE !!!

    Appreciate your time and efforts. Cheers
     

    Attached Files:

  15. swarint

    swarint Thread Starter

    Joined:
    Feb 20, 2007
    Messages:
    127
    Pls ignore my previous message, I managed successfully:) the Avenger process, I had missed out
    ' Files to delete '
    in my text.
    I will post results in a few mins. Cheers
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/663375

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice