Infected with Small.AU SHeur2.ABNC & Win32.Heur

Discussion in 'Malware Help (A Specialist Will Reply)' started by Orbitboy, Apr 22, 2009.

  1. Orbitboy

    Orbitboy Private E-2

    Earlier today my computer began displaying an error message at each logon:

    RUNDLL
    Error loading C:\Windows\System32\biboreza.dll
    Access is denied

    "biboreza" is unfamiliar to me...

    AVG has also found and quarentined 13 instances of infection on my PC composed of:
    SHeur2.ABNC
    Small.AU
    Win32.Heur
    and
    Downloader.Wimad.F

    Of course, another family member who shall remain nameless and without computer privileges discovered the infection and it is unknown exactly what steps were taken at the time. I believe Search and Destroy was run, at least in part, along with CCleaner in total.

    Please, can anyone tell me what this is and how to fit it?
    I'm affraid I've lost the url for the basic machine cleanup posted here previously, can I start there?

    Thank you!
     
    Orbitboy, Apr 22, 2009
    #1
  2. Orbitboy

    Orbitboy Private E-2

    Edit: OK, found the Malware removal guide and performed the steps indicated.
    Logs attached. However, Combofix reported an error that it could not continue, that the PC may be infected with a file patching virus (Virut).
    Please see attached error window snapshot. I believe MG ran correctly though there were a number of files reported as "not found."

    In addition, when trying to run Combofix, a window appears reporting a Win32 (?) error and do I want to report it to MSoft.
    I'm sorry, The error window was not captured.

    Thank You!
     

    Attached Files:

    Orbitboy, Apr 22, 2009
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We have a few things to fix. I will ask you to go back to the Read and Run First instructions and download the latest version of MGTools in a moment.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:


    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now download MGTools again and let it overwrite your current outdated version.

    Now run the C:\MGtools\GetLogs.bat[/b] file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * Avenger
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Apr 26, 2009
    #3
  4. Orbitboy

    Orbitboy Private E-2

    TimW -

    Thank You So Much for responding ! ! ! ! !
    Have followed your instructions, logs attached.

    re: How's it going?

    1) Internet definately seems better - quicker and pages loading. Before, it would take 3 or 4 reload attempts to get a page to appear. Sometimes it is good, sometimes not-so-good. I think I may have a problem with my router, but I'd like to get the machines cleaned up before I install a new one and have to go through setting up a network again.....:banghead
    2)Windows seems to be a little slow - slow opening and closing of windows, sometimes a freeze - intermittent....
    3) When running Avenger, I received a pop-up window stating: "registery editing has been disabled by your administrator." I did not disable this feature and the account logged on to is an administrator account. Funny, windows did make me logon twice. It doesn't usually do that....
    4) During the run of MGTools, just after it states it has zippped the HiJackThis.log, I received a popup window: "ProcessDLL.exe Application Error" - Application failed to initiate properly (0xc000007b). Click on OK to terminate the application. I did and the program continued to run until the end.

    Well, that's my report. If I over did the detail let me know and I'll tone it down a bit. Just can't tell you how much I appreciate your help and am trying to relay all the info I can....

    Thank you !
     

    Attached Files:

    Orbitboy, Apr 26, 2009
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Well, its actually gotten worse. ( A hint: don't let all users have Admin. privileges!)

    Please Disable Spybot's TeaTimer

    * Run Spybot and click Mode
    * Select Advanced Mode.
    * Then click Tools and select Resident.
    * Now in the right window pane, uncheck TeaTimer.
    * Also while this is open, in the left column now select IE Tweaks
    * and then in the right pane make sure all the Miscellaneous locks are unchecked.
    * Now quit Spybot!

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Now let's use ComboFix to remove a bunch of malware files.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\10.tmp     
C:\14.tmp     
C:\17.tmp     
C:\1d.tmp     
C:\1e.tmp      
C:\1f.tmp      
C:\20.tmp     
C:\21.tmp     
C:\22.tmp     
C:\23.tmp     
C:\24.tmp     
C:\25.tmp     
C:\26.tmp     
C:\27.tmp     
C:\28.tmp     
C:\29.tmp     
C:\2a.tmp      
C:\2b.tmp     
C:\2c.tmp      
C:\2d.tmp     
C:\2e.tmp      
C:\2f.tmp      
C:\30.tmp     
C:\32788R~1
C:\43.tmp     
C:\44.tmp     
C:\47.tmp     
C:\5.tmp       
C:\6.tmp       
C:\7.tmp       
C:\744277~1
C:\8.tmp       
C:\9.tmp       
C:\a.tmp        
C:\B.tmp
C:\WINDOWS\me32plpt.dll
C:\WINDOWS\system32\3361
C:\WINDOWS\system32\10.tmp       
C:\WINDOWS\system32\11.tmp       
C:\WINDOWS\system32\12.tmp       
C:\WINDOWS\system32\13.tmp       
C:\WINDOWS\system32\14.tmp       
C:\WINDOWS\system32\15.tmp       
C:\WINDOWS\system32\16.tmp       
C:\WINDOWS\system32\17.tmp       
C:\WINDOWS\system32\1a.tmp       
C:\WINDOWS\system32\3.tmp         
C:\WINDOWS\system32\3361          
C:\WINDOWS\system32\4.tmp         
C:\WINDOWS\system32\5.tmp         
C:\WINDOWS\system32\6.tmp         
C:\WINDOWS\system32\C.tmp
C:\WINDOWS\system32\D.tmp
C:\WINDOWS\system32\E.tmp
C:\WINDOWS\system32\F.tmp
C:\WINDOWS\system32\fairy.an      
C:\WINDOWS\system32\ferryl.cbv   
C:\WINDOWS\system32\inqby.sr
C:\WINDOWS\system32\kjsdiowq8oikf.dll
C:\WINDOWS\system32\reader_s.exe
C:\WINDOWS\system32\tpsaxyd.exe
C:\WINDOWS\system32\yevilodi
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\3361\SVCHOST.exe
C:\WINDOWS\system32\w.exe
C:\WINDOWS\TEMP\qgjqg7cjcc.exe
C:\WINDOWS\TEMP\qgjqg7cjcc.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\TEMP\396857276.exe
C:\Documents and Settings\Dad\reader_s.exe
C:\DOCUME~1\Dad\LOCALS~1\Temp\3660171230.exe
C:\WINDOWS\system32\kjsdiowq8oikf.dll
C:\WINDOWS\TEMP\rtv_winupd.exe
C:\WINDOWS\TEMP\396857276.exe
C:\WINDOWS\TEMP\qgjqg7cjcc.exe

Folder::
c:\WINDOWS\system32\3361
C:\WINDOWS\system32\yevilodi

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Diagnostic Manager"=-
"reader_s"=-


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Radio-TV adverts"=-
"svchost.exe"=-
"reader_s"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnce]
"svchost.exe"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Diagnostic Manager"=-
"reader_s"=-
"Windows Resurections"=-

[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\sharedtaskscheduler]
"{B2BA40A2-74F0-42BD-F434-12345A2C8953}"=-
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Apr 29, 2009
    #5
  6. Orbitboy

    Orbitboy Private E-2

    Tim --

    I am unable to run ComboFix !!!!!
    I received 2 error windows, a copy of which is attached.
    The first is a Generic Host Process for Win32 Services window, the second is an Error window stating it is not safe to continue with ComboFix, the file has been compromised and the possiblity of being infected with "Virut"

    I have therefore paused until I hear from you what to do.
    I have not run CCleaner, yet. I have not been able to generate a Combofix log.
    The MGlogs.zip is attached - however - I should report it was difficult to get HiJackThis to run. I was successful by deleting (fixing) one line at a time. I would receive an error message that "registry editing had been disabled by my administrator" which, since I am the administrator, I can report I did not knowingly do this. Additionally, I would have to report that not all the lines that needed to be fixed that you indicated, would appear on the scan. When I fixed one line and ran the scan again, new items would appear on the report that were not there on the previous run. Finally, after going through this one line fixing process, I was able to "fix" all the items you indicated. It would require me to exit or close HiJackThis after each fix and restart the program/process.

    When I ran the GetLogs.bat I immediately received the same Error window that registry editing had been disabled (apparently when GetUnKeys is run) and a ProcessDLL Error window before being able to complete the zip up process. A jpg of the window is attached.

    Thanks - please let me know what I should do about ComboFix!
     

    Attached Files:

    Orbitboy, Apr 29, 2009
    #6
  7. Orbitboy

    Orbitboy Private E-2

    Tim --

    I became concerned that ComboFix would not run and was reporting the Virut Virus as the probable cause. So I went to Microsofts OneCareLive Scan and ran a scan. Here's what it reports, which absolutely amazes me...
    I have not "fixed" anything as yet - I'm affraid the fix will wipe out half of my OS and Registry!

    *Protection
    13 Severe issues found
    Backdoor: Win32/
    Refpron.gen!C 6 detections
    Exploit: HTML/
    IframeRef.gen 13828 detections (!!!!!!!)
    Trojan: Win32/
    AgentBypass.gen!G 4 detections
    Conhook.C 1 detected
    Ertfor.A 1 detected
    TrojanDownloader:
    ASX/Wimad.AJ 2 detected
    ASX/Wimad.BD 2 detected
    TrojanDropper:
    Win32/Otlard.A 5 detections
    TrojanSpy:
    Win32/ Festeal.gen!B 2 detected
    VirTool:
    Win32/ Obfuscator.DO 8 detections
    Virus:
    W97M/ Melissa.AZ 1 detected
    Virus:
    Win32/ Cutwail.f 2 detections
    Virus:
    Win32/ Virut.BM 4070 detected

    *Performance
    353 registry items found
    14.0 MB temporary files found
    Defragmenting not necessary

    *Network Safety
    0 ports open

    Again - I did NOT hit "fix" - just wanted to find out more about Virut which was blocking ComboFix from running. None of my "Learn more" buttons or any url with symantic in it will run or connect.

    Please, Please Advise!!!!

    -- Orbit
     
    Orbitboy, May 2, 2009
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    This virus affects system files which is why combo will not run. If it removed the infected system files, your computer will become a brick.

    The safest and most reliable thing to do for infections like this is to just perform a total clean reinstall. I suggest that hard disk partitions be deleted and then recreated. Then formatted followed by the reinstall of Windows and other programs. We don't recommend backing up anything since the files could be carrying the infection (especially anything that is an executable type file) and you will just reinfect a new installation if you restore these backups. However if you really need personally data from this hard disk, the only method I would use would be the below:

    • physically remove the hard disk from this PC and slave it into another well protected computer. I recommend having Avast on the other PC since it seems to catch this infection.
    • DO NOT RUN ANY PROGRAMS on this infected slave drive while plugged into the other computer.
    • Copy only your data files from the infected drive. DO NOT COPY any executable type files.
    • The put this infected hard disk back into the original PC and start the reinstall process beginning with the deletion of all partitions.

    Also note this infections can spread to shared drives and also writable removable type drives. So if you have a network with shared drives, other computers may be infected. Also if you have plugged a USB flash drive into this PC, the flash drive could now be carrying the infection if any executable type files were on the flash drive. Also any PCs this flash drive has been plugged into could now be infected.
     
    TimW, May 2, 2009
    #8
  9. Orbitboy

    Orbitboy Private E-2

    Oh brother........

    I come very close to all those scenarios! In terms of infection with a flash drive, exacutables would have to have been copied on purpose (by me) from an infected file or location to the flash drive to be problematic - right? I'm asking if the transfer of data files only should have been safe?

    Is there something good to use just to check a Flash Drive???

    Secondly, with regards to salvagable items - how about a simple *.bat file? I've written a few small ones to aid in transfering files and back-ups. If they were infected and I open as a txt file with an edit command, the virus would show up in the text - correct? If unchanged it would still be salvagable?

    I decided to run a OneCareScan on the laptop which I thought was clean. I found :
    *Protection
    4 items detected under Exploit:HTML/IframeRef.gen
    2 items detected under Virus:Win32/Virut.BM
    *Performance
    312 Registry Items found
    Although I don't know what this means exactly...

    With the lower numbers here, do you think I could "fix" the laptop with this OneCare or will this infection require a wipe and reinstall as well???

    Thanks Again!!!!
    Please Advise!!!!
     
    Orbitboy, May 3, 2009
    #9
  10. Orbitboy

    Orbitboy Private E-2


    Tim --

    As you suggested, I downloaded Avast to the laptop, turned off McAfee and ran Avast on C drive and the Flash Drive. Avast picked up the 2 trojans, which are now moved to the vault, but did not pick up the 2 Virut.BM infections that OneCare did. So, I am still not sure if it is on the flash drive and am certain it is still on the latop. I am having the PC wiped tomorrow, along with the external backup hard drive. That will just leave just the the laptop and flash drive - do you have any suggestions as to how to clean out the 2 instances of Virut.BM that were detected by OneCare???

    Thank You!!!!!!
     
    Orbitboy, May 3, 2009
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If I am understanding you correctly, you are saying that your laptop is also infected. If we were working on a different computer before, then you need to start a new thread for the laptop and attach the logs.

    If you get the same issue when you run Combo on the laptop, then you need to toss the thumb drive and unfortunately wipe the laptop as well.
     
    TimW, May 3, 2009
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds