XP Security Center Virus

[kdel1]

A few days ago while on surfthechannel.com, my computer was infected with what seemed like several viruses. I ran Trend Micro's PC Cillin and it found and deleted two trojans, but it doesn't seem to be able to locate this remaining virus. My computer runs very slow and most of the time can't boot up in normal mode. If it does boot up in normal mode it freezes pretty shortly after. I have to run it in safe mode with networking to get it to work at all. Even in safe mode I constantly have the fake security center popping up doing scans - telling me I have several infections, asking me to buy the software it's advertising, random internet explorer windows coming up with several different advertisements, and messages at the bottom right and left sides of my screen from the fake security center icon also pop up constantly saying I have been infected with various things.

I downloaded and ran SmitfraudFix to clean my registry but I don't think it did anything. I also tried to download superantispyware but an error message comes up when I try to install the software - something along the lines of "this software cannot be installed due to administrator settings". PLEASE HELP ME!!!!!

 

[CatByte]

hi,

Please do the following:

• Open HiJackThis
  
  [*]Click on Do a system scan only
  
  [*]Check the boxes next to ONLY the entries listed below (if still present):
  

O1 - Hosts: 85.13.206.114 uuu20091124.info
O1 - Hosts: 85.13.206.114 u07012010u.com
O2 - BHO: C:\WINDOWS\system32\rdx5faki.dll - {A9BA40A1-74F1-52BD-F431-00B15A2C8953} - C:\WINDOWS\system32\rdx5faki.dll
O4 - HKLM\..\Run: [konijiwile] Rundll32.exe "batomune.dll",s
O4 - HKLM\..\Run: [fuliwuhez] Rundll32.exe "c:\windows\system32\vebimayo.dll",a
O4 - HKCU\..\Run: [hf8wefhuaihf8ewfydiujhfdsfdf] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ja1djtl1.exe
O4 - HKCU\..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\login.exe
O4 - HKCU\..\Run: [mplay32xe.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mplay32xe.exe
O4 - HKUS\S-1-5-19\..\Run: [konijiwile] Rundll32.exe "gabuwuwo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [konijiwile] Rundll32.exe "gabuwuwo.dll",s (User 'NETWORK SERVICE')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: APSHook.dll vibinuze.dll c:\windows\system32\vebimayo.dll
O21 - SSODL: sozoboren - {01460ba5-af76-4bb0-8edd-77f6c111d109} - c:\windows\system32\vebimayo.dll
O22 - SharedTaskScheduler: hasiufhiusdfjdhfudd - {A9BA40A1-74F1-52BD-F431-00B15A2C8953} - C:\WINDOWS\system32\rdx5faki.dll
O22 - SharedTaskScheduler: jugezatag - {01460ba5-af76-4bb0-8edd-77f6c111d109} - c:\windows\system32\vebimayo.dll

​

• Close all windows except Hijackthis and click Fix Checked
  
  [*]Click Yes when prompted
  
  [*]Close HijackThis.
  

NEXT

Download DDS and save it to your desktop from [URL="http://download.bleepingcomputer.com/sUBs/dds.com"]here[/URL] or [URL="http://www.forospyware.com/sUBs/dds"]here[/URL].



Disable any script blocker, and then double click dds to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
     
  2. Attach.txt
     
  
  [*]Save both reports to your desktop.
  

---------------------------------------------------------------------------------------------

Download GMER Rootkit Scanner from [URL="http://www.gmer.net/download.php"]here[/URL] to your desktop. Rename it to a .com extension. You may need to ensure file extensions are viewable.

Go to My Computer->Tools->Folder Options->View tab:
* make sure there is no checkmark beside Hide file extensions for known file types


* Click Yes to confirm and then click OK.

• Double click the renamed .com file.
  [*]If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.

Click the image to enlarge it

• In the right panel, you will see several boxes that have been checked. Ensure the following are unchecked
  
  • Sections
    
    [*]IAT/EAT
    
    [*]Drives/Partition other than Systemdrive (typically C:\)
    
    [*]Show All (don't miss this one)
    
  
  [*]Then click the Scan button & wait for it to finish.
  
  [*]Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
  [*]Save it where you can easily find it, such as your desktop, and attach it in reply.
  

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

 

[kdel1]

I just tried the first step you suggested and it was just like trying to install superantispyware - I got a message saying I'm not allowed to alter registry files due to administrator settings. How do I adjust my administrator settings?!??! The virus MUST have altered them!!! Thanks for your help!

 

[CatByte]

Hi,

That's the virus doing that:

Please run the following tools

Please download exeHelper to your desktop.

• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


The above tool will run directly from the USB drive.

Is that doesn't allow you to run the steps from my previous post then try this next one:

If you have an active internet connection, copy/paste the links below into your browser, don't click them or the rogue might redirect. If you don't have an active internet connection, download the tools from another machine, and transfer them to the affected machine via USB flash drive.


Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.


http://download.bleepingcomputer.com/grinler/rkill.exe
http://download.bleepingcomputer.com/grinler/rkill.com
http://download.bleepingcomputer.com/grinler/rkill.scr
http://download.bleepingcomputer.com/grinler/rkill.pif


Note:

You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message. Run rkill repeatedly until it's able to do it's job. This may take a few tries. You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.

At this point, you should now be able to run analysis tools.

Once the tool has run, do NOT reboot the machine, and then try once again to run DDS and GMER.

If for some reason the machine reboots, repeat the process. Again, try not to restart the machine.

 

[kdel1]

Here is the log I got from running exeHelper that you requested. I will try the steps from your original message now. Thanks!

 

[kdel1]

I was about to start going through the original steps you gave me but when I ran a new scan with Hijackthis it seems as though some of the files you told me to clean were no longer there and new ones had appeared. I was just wondering if you could look at the new log before I complete this part of the process. Thank you so much for your patience!

 

[CatByte]

Hi,

don't be too concerned about HijackThis right now, I just gave you a quick fix in order to enable the other scans to run more efficiently:

The items to delete in the new scan are these:


O2 - BHO: C:\WINDOWS\system32\rdx5faki.dll - {A9BA40A1-74F1-52BD-F431-00B15A2C8953} - C:\WINDOWS\system32\rdx5faki.dll
O4 - HKLM\..\Run: [AntiVirus Plus] "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\config\systemprofile\Application Data\AntiVirus Plus\AntiVirus Plus.55532.dll", start 55532
O4 - HKLM\..\Run: [konijiwile] Rundll32.exe "batomune.dll",s
O4 - HKLM\..\Run: [fuliwuhez] Rundll32.exe "c:\windows\system32\vebimayo.dll",a
O4 - HKUS\S-1-5-18\..\Run: [AntiVirus Plus] "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\config\systemprofile\Application Data\AntiVirus Plus\AntiVirus Plus.55532.dll", start 55532 (User 'SYSTEM')
O4 - S-1-5-18 Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe (User 'Default user')
O4 - Global Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{65BD1898-569F-44EB-8945-BD341A6B65C0}: NameServer = 83.149.115.157,4.2.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEDDAC22-A5FD-43F8-BFFD-7CCE81EBA358}: NameServer = 83.149.115.157,4.2.2.1,192.168.1.1
O20 - AppInit_DLLs: vibinuze.dll c:\windows\system32\vebimayo.dll c:\windows\system32\mufezuwi.dll
O21 - SSODL: lomuzetuk - {c509c53d-c37a-4f5b-b730-a668e3bddd3a} - c:\windows\system32\mufezuwi.dll
O21 - SSODL: tizisobom - {1fa0d1a8-3f1e-4612-84d9-3f79f06455bc} - c:\windows\system32\mufezuwi.dll
O21 - SSODL: suvidoyoj - {b770698a-f3e9-40ad-bf96-a5d4f0e4d581} - c:\windows\system32\vebimayo.dll
O22 - SharedTaskScheduler: hasiufhiusdfjdhfudd - {A9BA40A1-74F1-52BD-F431-00B15A2C8953} - C:\WINDOWS\system32\rdx5faki.dll
O22 - SharedTaskScheduler: jugezatag - {c509c53d-c37a-4f5b-b730-a668e3bddd3a} - c:\windows\system32\mufezuwi.dll
O22 - SharedTaskScheduler: gahurihor - {1fa0d1a8-3f1e-4612-84d9-3f79f06455bc} - c:\windows\system32\mufezuwi.dll
O22 - SharedTaskScheduler: kupuhivus - {b770698a-f3e9-40ad-bf96-a5d4f0e4d581} - c:\windows\system32\vebimayo.dll

DDS and GMER will give me a more indepth look at what is going on in your machine.

Thanks

 

[kdel1]

here are my DDS and GMER logs. thanks!

 

[CatByte]

hi,

please do the following:

Download Combofix from either of the links below but rename it to Combo.com before saving it to your desktop.


Link 1
Link 2


--------------------------------------------------------------------

Double click on the renamed ComboFix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt so we can continue cleaning the system.

NOTE: Very Important! - Please disable all your security programs before running ComboFix as they will interfere

 

[kdel1]

Hi,

Here's my ComboFix log.

Thanks!

 

[CatByte]

Hi,

Please do the following:

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.techguy.org/malware-removal-hijackthis-logs/914928-xp-security-center-virus.html

Collect::
c:\windows\system32\behubaza.dll
c:\windows\system32\fatalofi.dll
c:\windows\system32\fopihofu.dll
c:\windows\system32\kohuhoro.dll
c:\windows\system32\kuyigiba.dll
c:\windows\system32\loyuwisa.dll
c:\windows\system32\menuraze.dll
c:\windows\system32\nevoputo.dll
c:\windows\system32\pamuyomi.dll
c:\windows\system32\rohebiyi.dll
c:\windows\system32\sunasuyu.dll
c:\windows\system32\vakumene.dll
c:\windows\system32\config\systemprofile\Local Settings\Application Data\Windows Server\uptcdx.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79049bf5-c025-460b-808c-1f80edd32f76}]
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

 

[kdel1]

Here's my new ComboFix log. Thanks!

 

[CatByte]

Hi,

Please do the following;

• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  • c:\documents and settings\Administrator\Local Settings\Application Data\1360466830.dll
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

You may need to show hidden files and folders to be able to upload it:

Go to Start > My Computer > Tools
Select Folder Options from the drop down menu > Advanced Settings
Check the option that reads: Display the contents of system folders.
In the Hidden files and folders, click onthe radio button that reads: Show hidden files and folders
Uncheck the check box next to these two options: Hide file extensions for known file types and Hide protected operating system files.
Click on the Apply button. Click on the OK button.
Close the My Computer dialog window.


NEXT

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so.

NEXT

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner:

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

 

[kdel1]

Just wanted to post this before moving to the next steps of your last post. Moving on to Malwarebytes' Anti-Malware now...thanks!

VirSCAN.org Scanned Report :
Scanned time : 2010/04/14 15:56:42 (EDT)
Scanner results: 36% Scanner(s) (13/36) found malware!
File Name : 1360466830.dll
File Size : 184320 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 364c067bba5cb5eae39549589db8e6c5
SHA1 : d8e7453e73ab60336fc57c98652c92379c49da83
Online report : http://virscan.org/report/91aaaf66ca41e688b2019c23f370e62b.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100415011602 2010-04-15 4.84 -
AhnLab V3 2010.04.15.00 2010.04.15 2010-04-15 1.08 -
AntiVir 8.2.1.210 7.10.6.77 2010-04-14 0.25 -
Antiy 2.0.18 20100412.4183175 2010-04-12 0.02 -
Arcavir 2009 201004141437 2010-04-14 0.04 Packed.Katusha.j
Authentium 5.1.1 201004141348 2010-04-14 1.27 -
AVAST! 4.7.4 100414-1 2010-04-14 0.01 -
AVG 8.5.720 271.1.1/2810 2010-04-14 0.24 -
BitDefender 7.81008.5642434 7.31201 2010-04-15 3.60 Gen:Heur.Krypt.26
ClamAV 0.95.3 10742 2010-04-14 0.03 -
Comodo 3.13.579 4597 2010-04-14 3.09 -
CP Secure 1.3.0.5 2010.04.13 2010-04-13 0.07 -
Dr.Web 5.0.2.3300 2010.04.15 2010-04-15 6.87 -
F-Prot 4.4.4.56 20100414 2010-04-14 1.27 -
F-Secure 7.02.73807 2010.04.14.12 2010-04-14 0.16 Packed:W32/MysticCompressor.gen!A [FSE]
Fortinet 4.0.14 11.697 2010-04-14 0.17 W32/FraudPack.fam!tr
GData 19.10997/19.886 20100414 2010-04-14 6.79 Packed.Win32.Katusha.j [Engine:A]
ViRobot 20100414 2010.04.14 2010-04-14 0.42 -
Ikarus T3.1.01.80 2010.04.14.75626 2010-04-14 6.36 -
JiangMin 13.0.900 2010.04.13 2010-04-13 1.25 -
Kaspersky 5.5.10 2010.04.14 2010-04-14 0.07 Packed.Win32.Katusha.j
KingSoft 2009.2.5.15 2010.4.14.20 2010-04-14 0.70 Win32.Troj.Katusha.j.184320
McAfee 5400.1158 5945 2010-04-08 0.02 -
Microsoft 1.5605 2010.04.14 2010-04-14 7.82 Trojan:Win32/FakeRean
Norman 6.04.11 6.04.00 2010-04-14 4.01 -
Panda 9.05.01 2010.04.13 2010-04-13 0.51 -
Trend Micro 9.120-1004 6.996.17 2010-04-14 0.03 TROJ_KRAP.SMEP
Quick Heal 10.00 2010.04.14 2010-04-14 1.61 -
Rising 20.0 22.43.02.04 2010-04-14 0.65 -
Sophos 3.06.0 4.52 2010-04-15 3.41 Mal/EncPk-NP
Sunbelt 3.9.2418.2 6175 2010-04-14 6.09 VirTool.Win32.Obfuscator.hg!a (v)
Symantec 1.3.0.24 20100414.004 2010-04-14 0.05 Packed.Mystic!gen4
nProtect 20100413.01 7966965 2010-04-13 4.95 -
The Hacker 6.5.2.0 v00260 2010-04-13 0.43 -
VBA32 3.12.12.4 20100414.0959 2010-04-14 2.87 Malware-Cryptor.Win32.Palka
VirusBuster 4.5.11.10 10.124.10/2017073 2010-04-15 2.38 -

 

[kdel1]

Here's the MBAM log. Moving on to Kaspersky Online Scanner.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3988

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

4/14/2010 4:19:13 PM
mbam-log-2010-04-14 (16-19-13).txt

Scan type: Quick scan
Objects scanned: 102637
Time elapsed: 4 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection (Rogue.YourProtection) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Administrator\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Your Protection (Rogue.YourProtection) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6HKNURY5\avplus[1].dll (Rogue.AntivirusPlus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6ZQHC1UR\book[1].htm (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6ZQHC1UR\dv[1].htm (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6ZQHC1UR\odiqbu55532[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\Uninstall.exe (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\urp.db (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\urpext.dll (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\urphook.dll (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Desktop\AntiVirus Plus.lnk (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiVirus Plus.lnk (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.