Unknown Virus

Hi there

I seem to of somehow got a virus again.. My Eset virus scanner keeps identifying every program, drivers and utilities as a virus and it quarantines them, including all the windows services, explorer, blutooth adapters and all my other spyware programs, and applications. I can't really get into my system...

Any help would be appreciated (again)

I have tried doing a system restore to no avail..

Regards Dave

Sounds like you've got yourself a file patcher, Virut/Sality.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  
• Double click DDS.scr to run.
  
• When complete, two logs will open. Save both of the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

DDS (Ver_09-05-14.01) - NTFSx86
Run by Dave at 21:18:52.65 on 31/05/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.583 [GMT 1:00]

AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Memturbo 4\MemTurbo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Dave\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: CKeyScramblerBHO Object: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\dave\startm~1\programs\startup\memturbo.lnk - c:\program files\memturbo 4\MemTurbo.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\dell\bluetooth software\BTTray.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Send To &Bluetooth - c:\program files\dell\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dave\applic~1\mozilla\firefox\profiles\47huwar1.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\dave\application data\mozilla\firefox\profiles\47huwar1.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-2-6 727720]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2009-3-21 33792]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2009-3-21 113896]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-1-5 103936]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]

=============== Created Last 30 ================

2009-05-31 20:45 --d----- c:\windows\system32\wbem\Repository
2009-05-31 19:53 58,880 a------- c:\windows\system32\51A1.tmp
2009-05-31 19:53 124 a------- c:\windows\system32\519E.tmp
2009-05-31 19:49 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-05-31 19:49 --d----- c:\program files\Tukero[X]Team
2009-05-31 19:48 0 a------- c:\windows\system32\5199.tmp
2009-05-31 19:48 58,880 a------- c:\windows\system32\5198.tmp
2009-05-31 19:48 124 a------- c:\windows\system32\5193.tmp
2009-05-31 19:46 --d----- C:\Archivos de programa(2)
2009-05-24 21:53 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-05-24 17:49 --d----- C:\e98aa92d86c587af8123
2009-05-24 17:48 --d----- c:\windows\SxsCaPendDel
2009-05-24 17:17 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-05-24 17:17 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-05-24 17:17 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-05-24 17:17 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-05-24 17:17 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-05-24 17:17 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-24 17:17 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-05-24 17:17 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-05-24 17:17 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-05-24 17:16 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-05-24 17:16 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-05-24 17:16 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-05-14 23:39 --d----- C:\dump

==================== Find3M ====================

2009-05-31 19:49 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-21 15:46 604 a---h--- c:\program files\STLL Notifier
2009-03-20 19:20 80,943 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-20 18:05 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll

============= FINISH: 21:19:12.58 ===============

.

Last edited by Voods on 31st May 2009, 8:25 pm; edited 1 time in total (Reason for editing : double post)

Hello.
The malware has patched a system file, and you might have Virut from what I can tell.

• Download combofix from here
  Link 1
  Link 2
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV. (Nod32)
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

I tried to run combofix, but it does not let me run it. A small dialogue box with "error" in the blue strip appears, and an exclamtion mark in a speech bubble in the actual box.

I did try a second time with the same result

Regards

Delete your copy of Combofix.

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Well I have followed your above method and still get the same error message, so anything else I can try?

Regards

What does the error say?

Hi there is no message in the dialogue box apart from the word error in the blue strip.
I have attatched a picture of the desktop.

Regards

Last edited by Voods on 31st May 2009, 10:55 pm; edited 1 time in total

The screenshot shows you haven't downloaded it as Combo-Fix per my instructions above.

Sorry about that, I attatched the wrong image

Here is the correct one.

Hello.
Lets see if we can fix that ndis.sys file

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
ndis.sys

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Hi

Heres the log.


SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 00:27 on 01/06/2009 by Dave (Administrator - Elevation successful)

========== filefind ==========

Searching for "ndis.sys"
C:\WINDOWS\$NtServicePackUninstall$\ndis.sys -----c 182656 bytes [18:08 20/03/2009] [10:30 06/03/2003] 1DF7F42665C94B825322FAE71721130D
C:\WINDOWS\ServicePackFiles\i386\ndis.sys ------ 182656 bytes [18:17 20/03/2009] [00:50 14/04/2008] 1DF7F42665C94B825322FAE71721130D
C:\WINDOWS\system32\dllcache\ndis.sys --a--c 182656 bytes [18:49 31/05/2009] [18:49 31/05/2009] 1DF7F42665C94B825322FAE71721130D
C:\WINDOWS\system32\drivers\ndis.sys --a--- 182656 bytes [16:31 16/07/2003] [18:49 31/05/2009] 1DF7F42665C94B825322FAE71721130D

-=End Of File=-

Darn, other copies of ndis.sys are also infected.
I seriously think Virut is present, the number of svchosts at the bottom of the processes list shouldn't be there.

Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.


For more information, please see Here

Instructions how to format and reinstall Windows can be found Here

Blimey.. I think this is the most serious attack I've had yet, goodness knows where it came from..
Will my pdf files be ok?


Anyway, thanks for your prompt assistance.

I will do a full reformat, just have to accept i've lost some stuff.

Pdf files should be okay assuming they aren't the source of the infection.

Certainly wern't, and just one final question, this happened on a wireless network, but none of the other computers using this were switched on at the time of infection...
Is there any risk at all that it could somehow spread to the other computers when swithced on and connected to the network.., silly question probably I know..

Regards
Dave

Don't think so, Virut doesn't have network code written in.