Nasty Nasty virus

[Exarchice]

My little brother got on my pc a few hours ago, while I was at a friends house. I came back and my computer is completely messed up right now. I am currently running in safe mode and using Fire Fox. Apparently he was looking at porn on or something on IE.

Effects: IE does not work, no programs work, except for Fire Fox and MSN messenger. I cannot even run a any of my virus scanners on it, not even ones that I have saved to my flash drive. The virus is blocking everything I do. There is a little green shield in the bottom right(in the quick icon list) It looks like the Microsoft shield, but it is not. I clicked on it and it took me to a "anti virus site" on IE(go figure, its the only site that works on IE)

I have no clue what to do since I cannot remove it, I would hate to have to reformat(or trash) this hard drive, as it has a lot of important things saved to it. I did however manage to get AVG working in safe mode, but it is not detecting the virus.

Need help quick, everything I do, including my work is saved to this computer. I can use my laptop for now, but I am more worried about saving my work than anything. I also refuse to move anything to a flash drive as it may spread the virus to my laptop.

 

[Osiris]

Try to run combofix, it doesnt install, it just executes its self. If that doesnt work let me know.

 

[Exarchice]

In safe mode or normal mode?

This is what i got from hijackthis in safe mode, I am doing a comobo fix now.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:08:28 AM, on 5/7/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Safe mode with network support

Running processes:
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Nugent\Downloads\mbam-setup-1.46.exe
C:\Users\Nugent\AppData\Local\Temp\is-93FQD.tmp\mbam-setup-1.46.tmp
C:\Users\Nugent\Downloads\HiJackThis.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = DOVOGAME.com Business Tycoon Online,business simulation,browser game platform
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: ToolbarURLSearchHook Class - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - C:\Program Files (x86)\Search Toolbar\tbhelper.dll
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: TBSB05974 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files (x86)\Search Toolbar\tbcore3.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: FrostWire Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Search Toolbar - {0C8413C1-FAD1-446C-8584-BE50576F863E} - C:\Program Files (x86)\Search Toolbar\tbcore3.dll
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files (x86)\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files (x86)\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~2\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [GSC] C:\Program Files (x86)\GSC 2.00\GSClient.exe
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [cdloader] "C:\Users\Nugent\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [nmooemjo] C:\Users\Nugent\AppData\Local\ymbicrceu\ghhvfhhtssd.exe
O4 - HKCU\..\Run: [tcactive] C:\Program Files (x86)\The Cleaner\tcap.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files (x86)\PokerStars.NET\PokerStarsUpdate.exe
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinner.com/games/v53/wwspades/wwspades.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: DeviceVM Meta Data Export Service (DvmMDES) - DeviceVM - C:\ASUS.SYS\config\DVMExportService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: The Cleaner 2011 Helper Service (moohelp) - MooSoft Development LLC - C:\Program Files (x86)\The Cleaner\mhelper.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 10340 bytes




Is there a version of combofix to get for 64bit vista? Apparently the one I downloaded only works for windows XP and 2000 (I used your siggy link)



here is an mbam log



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4073

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18904

5/7/2010 1:50:52 AM
mbam-log-2010-05-07 (01-50-52).txt

Scan type: Full scan (C:\|)
Objects scanned: 256207
Time elapsed: 39 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files (x86)\Mozilla Firefox\extensions\{711a73ad-d965-09d7-326f-92bad258195d}\components\G5Xbo_r9vB-61_-.dll (Adware.BHO) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\search toolbar (Adware.Zugo) -> No action taken.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> No action taken.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nmooemjo (Rogue.AntivirusSuite.Gen) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files (x86)\Mozilla Firefox\extensions\{711a73ad-d965-09d7-326f-92bad258195d}\components\G5Xbo_r9vB-61_-.dll (Adware.BHO) -> No action taken.
C:\Program Files (x86)\Search Toolbar\SearchToolbarUninstall.exe (Adware.Zugo) -> No action taken.
C:\Users\Nugent\AppData\LocalLow\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\SearchToolbarUninstall.exe (Adware.Zugo) -> No action taken.
C:\Users\Nugent\Downloads\FLVDirect.exe (Adware.DoubleD) -> No action taken.
C:\Users\Nugent\Downloads\RetrogamerSetup2.3.67.1.SA.HP.RGfox000.exe (Adware.MyWebSearch) -> No action taken.
C:\Users\Nugent\Downloads\Setup(2).exe (Adware.Agent) -> No action taken.
C:\Windows\Temp\Setup.exe (Trojan.Chifrax) -> No action taken.
C:\Users\Nugent\AppData\Local\ymbicrceu\ghhvfhhtssd.exe (Rogue.AntivirusSuite.Gen) -> No action taken.



Mbam seems to have fixed my problem, although IE doesn't work now. My computer is also running really slow, but at least i can do my normal activities on here.

I am sure the virus is lying around here someplace, i just need to find it and remove it.

 

[Osiris]

Remove these entries

R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: ToolbarURLSearchHook Class - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - C:\Program Files (x86)\Search Toolbar\tbhelper.dll

O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O3 - Toolbar: FrostWire Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

then run ccleaner and cleanup.

Reboot when malwarebytes prompts you to so it can remove the entries and then run them again.

 

[Exarchice]

Thanks, everything looks good now running smooth again.

Is there a way to find out what this address is? Apparently this virus changed my proxy settings(which is probably why only the 1 site virus add site was able to be accessed through IE.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4073

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

5/7/2010 2:03:08 PM
mbam-log-2010-05-07 (14-03-08).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 256262
Time elapsed: 42 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Osiris]

127.0.0.1 is a reserved IP address corresponding to the host computer. Known as the loopback address, 127.0.0.1 is used whenever a program needs to access a network service running on the same computer as itself. Although mainly used as a testing and development address, the loopback address can be used to access local services, such as webservers, that are usually only accessed over a network and have no local interface. Additionally, most modern operating systems that implement TCP/IP regard the name "localhost" as being equivalent to 127.0.0.1.
The address 127.0.0.1 is defined by the TCP/IP protocol as a reserved address that routes packets back to the host. Thus, no computer connected to the Internet, or any other TCP/IP compliant network, can identify itself as 127.0.0.1. The Internet Engineering Task Force's RFC 3330 defines 127.0.0.1 and 12 other special-use IPv4 addresses. Any public router or gateway that receives a packet destined for a special-use IP is required to drop it, without logging it's contents. Thus, if such a packet is accidentally forwarded outside of it's host, the packet will not accidentally arrive at another location that is willing to accept it and answer. This requirement helps provide network security, as even a machine that is configured to appear invisible on a network will likely answer packets addressed to it's loopback address. Additionally, some services may be unexpectedly activated by responding to such a stray packet.

 

[Exarchice]

So, basically you are saying he used a ghost or spoofer, this creating and using this i.p. address for an attack? I normally leave that option unchecked and blank on the inside. I don't know much about networking, but I will be sure to make a note of that for future reference.


I really appreciate your help, otherwise I would still be looking for something to remove the problem, also I wouldn't have found those suspicious folders in my x86 files, which are now removed. I found a few other weird things in that file as well that i never noticed before, like a bunch of loose applications(not in folders) I went ahead and removed those as well.

I'm really happy my comp runs like brand new now, even better than before I got the virus. I figured it was just running a little sluggish(but not too slow) because of all the programs I have on my hard drive. I guess AVG is nice to use, but doesn't catch everything. I am going to start using Mbam once a week from now on

 

[Osiris]

AVG is good and so are a few others but nothing catches all, thats why its best to run mbam and another free AV such as AVG or Avast or whatever else is out there.