Bozic Virus

jinesh · Apr 15, 2010

Hello,

I have got this Bozic Virus on my PC. I have mentioned in points below the info I found about the virus on my PC and the series of events that occured:

1. The virus deleted AVG and didn't let me run spybot & hijack this.

2. It tries to send email when I put on the router and connect to internet.

3. It tried to shut down my computer when I ran Spybot and Hijack this after renaming the exe files of the softwares.

4. Spybot found a registry entries titled proRAT which had disabled auto protect and had shell command executions.

5. There is a file called Csrss.exe with a folder icon in my Users folder. I am pretty sure thats the virus since the original should be in 'System 32' folder.

6. I installed comodo firewall and it reported Csrss.exe as Shellcode Injection in the log. I think its attaching itself to the system process to hide.

7. I have got this software called 'File Assassin' Which deletes files by unlocking handles from the running processes so I can delete the Csrss.exe file. But when I tried to delete it windows crashed and restarted.
File Assassin has got an option of deleting the file before windows starts So I was wondering should I delete the File? Will it cause any problem?

8. When I plugged in my USB flash drive the virus copied itself on it. Below is the text from the autorun.inf file on the flash drive:
[autorun
-dSAÍƒ—◊¿*ƒÀ◊¿‰À◊ä*ƒäŒådakLDKWQdAKLS??DKWLQ?Dƒ∆¿€‹‘¬∆€‹¿‘‚Î…À¬÷∆ÈÎ¬÷…‚Î‘€À¡¬¡€‘ƒ·Ò‘€¬¡ƒ‘€›∆¬À÷Ÿ…À¬÷…¡‚·Ù¬ƒ∆‚‘ƒ∆‚Î·ÊÀ÷Ÿ˜˚∆‘ƒ¸‰˜Ù€ƒ∆—Î‘∆ÀƒˆÈÊ¬Àƒ÷…›‚·ˆ‚‰·Ùƒ∆¬À¡∆Ÿ÷¬Àƒ·ˆ˝‚Î‰·›÷¬¸÷‰¸‚˚‘ƒ∆¸Ò˜‘€ƒ∆—À«…
open=VANJA/bozic.exe
action=Open folder†to view files using†Windows†Explorer
icon=VANJA/bozic.exe
Shell\open\command=VANJA/bozic.exe
shell\open\command=VANJA/bozic.exe
USEAUTOPLAY=1

Vanja Bozic sounds like an italian name.

So anyone has any suggestions for what should I do to get rid of this malware?

TimW · Apr 15, 2010

Welcome to Major Geeks!

You should download and install:
AutoEater.

Now:
Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide

and attach the requested logs when you finish these instructions.

**** If something does not run, write down the info to explain to us later but keep on going. ****

Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this aother user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.

To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:

Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.

jinesh · Apr 16, 2010

I ran Combo fix but wasn't able to delete the virus. See the log pasted below.

ComboFix 10-04-11.06 - Thacker 15/04/2010 23:55:40.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.495.164 [GMT 5.5:30]
Running from: c:\documents and settings\Thacker\Desktop\New Folder\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Quick Heal 10.00 *On-access scanning disabled* (Outdated) {05C1329D-F0E0-4B19-9D15-54F9BC3ADE87}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Thacker\Local Settings\Temporary Internet Files\favicon.ico
c:\program files\INSTALL.LOG
c:\windows\eSellerateEngine.dll
c:\windows\system32\CFSCODE.DLL
c:\windows\system32\cncs32.dll
c:\windows\system32\mcicode.dll
c:\windows\system32\shutdown .exe
c:\windows\system32\userini.exe
c:\windows\system32\w32apiw.dll
c:\windows\system32\winupd01.exe
c:\documents and settings\Thacker\csrss.exe . . . . failed to delete
c:\documents and settings\Thacker\secupdat.dat . . . . failed to delete
c:\windows\system32\secupdat.dat . . . . failed to delete

Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected
Restored copy from - c:\windows\system32\dllcache\beep.sys

TimW · Apr 16, 2010

Please read this: HOW TO: Attach Items To Your Post.

I still need the logs from:
SAS
MBAM
RootRepeal
ComboFix ---> not just the little you posted
C:\MGLogs.zip ---> from running the C:\MGTools.exe

Log in or Sign up

Bozic Virus

jinesh Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

jinesh Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member