Solved

W32.chir.b@mm

Posted on 2006-11-26
30
4,536 Views
Last Modified: 2008-01-09
can any body help me out !!!

basically i used symantic anti virus(scanned in safe mode) and it showed hundreds of files infected with w32.chir.b@mm  Trojan .....symentric cleaned many files....but again it comes up straight ...

I reinstalled windows 3,4 times but after installation it comes back again .....online scanner was not working and it takes a hell of a time to load  (i was not able to load the online scanner) given here ...
http://www.symantec.com/security_response/writeup.jsp?docid=2001-031517-2139-99

i suspect that may be ....any of my .exe file is corrupted ..and whenever i run that setup or something it goes wild and all w32 viruses comes back again ....also one more thing whenever i run a .exe file it my 512 Mb ram Pc usage becomes 100% and the .exe file which i ran in taskbar properties runs 3,4 times which takes all CPU usage ...i also detected


also used ewido latest but was unsuccessful !!recommend some thing abt it ....i didnt find out any solution at EE too ...(searching previous questions ) what to use ..!! ??
0
Comment
Question by:magnetic_kisser
  • 17
  • 7
  • 4
  • +1
30 Comments
 
LVL 21

Expert Comment

by:jvuz
ID: 18017616
0
 
LVL 21

Assisted Solution

by:jvuz
jvuz earned 100 total points
ID: 18017622
0
 
LVL 21

Expert Comment

by:jvuz
ID: 18017625
0
 
LVL 20

Assisted Solution

by:jimmymcp02
jimmymcp02 earned 20 total points
ID: 18024208
I beleaved that tht estinger removes medium to high trojans/viruses  but its worth the try anyways

can you please let us know what OS you are using so we can narrow down the issue if you are using windows xp and you beleave the file association is corrupt then use the file association fix for .exe files from the following link
http://www.dougknox.com/xp/file_assoc.htm
0
 
LVL 10

Author Comment

by:magnetic_kisser
ID: 18029889
definately its win xp !! dear ...i am checking all this
0
 
LVL 10

Author Comment

by:magnetic_kisser
ID: 18037715
naah  i tried all ............nothing was useful !!! :(
0
 
LVL 20

Expert Comment

by:jimmymcp02
ID: 18041390
have you tried to disable system restore and scan on safe mode?
also make sure that you anti virus is not excluding any folders such as \restore  
0
 
LVL 10

Author Comment

by:magnetic_kisser
ID: 18043984
well i am continuesly working on safemode ... :( ..........i installed many thing .symentic do detect it and clean many files but why then again after windows installation it got return ?  runounce.exe  is the culprit ....i deleted it from the registry but it comes back again whenever i run any  exe file ....

any antivirus in perticular ..... ?? which u may think remove chir@mm  from the bud ?
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 180 total points
ID: 18044202
Hi,
I'm surprised no one has suggested hijackthis yet. Hijackthis is a very good diagnostic tool, it's not just for browser hijacks.

Can we look at a hijackthis log please?
You can upload the log to any sites you like or at EE-Stuff.com.
If you have trouble uploading, just paste the log here in your question.

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then upload the logs to any hosting sites,
or go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/
and click "Analyse", click "Save".  Then post the link to the saved list here.
0
 
LVL 10

Author Comment

by:magnetic_kisser
ID: 18044473
yah ....i was abt to paste the log here ....i didnt try hijack this ....yet ...

Logfile of HijackThis v1.99.1
Scan saved at 4:58:36 AM, on 3/3/2002
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Windows Media Player\wmplayer.exe
D:\WINDOWS\system32\msiexec.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\HijackThis 1.99.1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.experts-exchange.com/
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Runonce] D:\WINDOWS\system32\runouce.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
0
 
LVL 10

Author Comment

by:magnetic_kisser
ID: 18044481
basically

dl.exe  comes up popping up with two buttons close and ignore and clicking anyone doesn't do a thing ....Runouce.exe is running in the task bar properties continuesly .......which makes system CPU 100%  ....i have installed windows today ....and when i installed the drivers for sound and video this runouce comes back again .........

readme.eml is another file ....when i open firefox it comes up opening 7,8 firefox windows saying do u want to download readme.eml ?  ..........

i searched the net and founded out that the culprit is this w32.chir.b@mm  ......which is a worm ,spyware it self !! ...what to do ?? plz help !
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18044615
Yes, I can see the bad entry there,
but first can you rename hijackthis.exe to some.exe or (whatever.exe you want to rename it to)
then scan your system again with that renamed hijackthis and show us the log.
0
 
LVL 10

Author Comment

by:magnetic_kisser
ID: 18046158
its the same i given ...above ?? .....does renaming makes some difference ?
0
 
LVL 10

Author Comment

by:magnetic_kisser
ID: 18047202
what to do ?  any suggestions ...
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 180 total points
ID: 18049600
It's because some entries are missing on that log, I have the feeling that some nasties are monitoring hijackthis.exe process and are able to hide from the scan, when you renamed hijackthis then they won't be able to hide from it because then they won't know that hijackthis is scanning your system under different name.

To rename hijackthis:
Navigate to the directory where you saved Hijackthis.exe
--> D:\Program Files\HijackThis 1.99.1\HijackThis.exe

Right-click on hijackthis.exe, then select "Rename".
Name it something like: "some.exe" (or whatever you want as long as it doesn't have the word "hijackthis")
Then double-click on the renamed hijackthis to scan and then post the new logfile.


OR: you can download the alrady renamed hijackthis:
http://danborg.org/spy/hjt/alternativ.exe
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 10

Author Comment

by:magnetic_kisser
ID: 18053266
hmm lets see ! will be back with the log !
0
 
LVL 10

Author Comment

by:magnetic_kisser
ID: 18053280
here is it !!

Logfile of HijackThis v1.99.1
Scan saved at 6:25:04 AM, on 3/4/2002
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Documents and Settings\Administrator\Desktop\alternativ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.experts-exchange.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Runonce] D:\WINDOWS\system32\runouce.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Vypress Chat StartUp.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll



well i always see abt this hijack this log ......how to determine the wronge entries .....can u shrtly describe a bit which process are necessary for the log to show and what are critical to the system ??

i think for dl.exe  it starts automatically even in safemode ...strange but it do !! it comes in my documents folder ...(and places wherer .exe files are run )

waiting for ya reply !!
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 180 total points
ID: 18053374
Still not many entries, nasties could still just hiding those entries.
You said you're using Symantec antivirus, and also Ewido but I don't see any sign of antivirus installed in that log. Still no services showing. Did you mean online symantec scan and online Ewido scan?
You need to install antivirus and Firewall if you haven't got them yet.


1. Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip

   *Click on Avenger.zip to open the file
   *Extract avenger.exe to your desktop

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste the following text(all text inside the lines below):

-----------------------------------------------------------------------------------------------------------
Files to delete:
D:\WINDOWS\system32\runouce.exe
D:\WINDOWS\system32\dl.exe
D:\WINDOWS\system32\syslogin.exe

Registry values to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Runonce
------------------------------------------------------------------------------------------------------------

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt when you've done.


2.  Next please download and run Superantispyware:
Download and install Superantispyware
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
Load Superantispyware and click the "check for updates" button.
Once the update is finished, close SuperAntispyware again, we'll perform the scan later in safe mode

* Start Superantispyware.
Click the "scan your computer" button.
Check "Perform Complete Scan" and then next.
Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
Make sure that they all have a check next to them and press next.
Click finish and you will be taken back to the main interface.
Click "Preferences" and then click the "statistics/logs" tab. Click the dated log and press view log and a text file will appear.
0
 
LVL 21

Assisted Solution

by:jvuz
jvuz earned 100 total points
ID: 18053378
Fix this:

O4 - HKLM\..\Run: [Runonce] D:\WINDOWS\system32\runouce.exe

and scan again for viruses
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18053422
magnetic kisser,
It's past midnight here, so I'll be off now.
0
 
LVL 10

Author Comment

by:magnetic_kisser
ID: 18054371
alright .....i am trying this .......basically i was fed up of my window ...installed it yesterday ...it is without anti virus now ...let be check all this ....have a calm sleep ! :) .........

no ...not online they were installed on my PC but after window i didn't installed them ...
0
 
LVL 10

Author Comment

by:magnetic_kisser
ID: 18059123
avenger ...........it was not able to delete dl.exe .....................  what abt readme.eml  file ?? it automatically open browsers whenever i start firefox ?


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\iqdqaqid

*******************

Script file located at: \??\D:\Documents and Settings\rmxfhvkf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at D:\Avenger

*******************

Beginning to process script file:

File D:\WINDOWS\system32\runouce.exe deleted successfully.


File D:\WINDOWS\system32\dl.exe not found!
Deletion of file D:\WINDOWS\system32\dl.exe failed!

Could not process line:
D:\WINDOWS\system32\dl.exe
Status: 0xc0000034



File D:\WINDOWS\system32\syslogin.exe not found!
Deletion of file D:\WINDOWS\system32\syslogin.exe failed!

Could not process line:
D:\WINDOWS\system32\syslogin.exe
Status: 0xc0000034

Registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Runonce deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.
0
 
LVL 10

Author Comment

by:magnetic_kisser
ID: 18059125
also i cant access windows ....and msconfig ........i have to run my Pc on safe mode ...... :( so i cant install the 2nd one it says that u r running in safe mode and windows installer can to be accessed  
0
 
LVL 10

Author Comment

by:magnetic_kisser
ID: 18059143
smitfraudfix log

SmitFraudFix v2.126

Scan done at  2:35:03.12, Tue 03/05/2002
Run from D:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» D:\


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» D:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» D:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
0
 
LVL 10

Author Comment

by:magnetic_kisser
ID: 18059152
i didn't write abt readme.eml which comes whenever i try to open my Firefox browser which opens 10,15 times with saying to do want to download readme.eml  ? another problem is of dl.exe  which comes with the error message close or ignore ......and the third one is the good old  runouce.exe  which also comes back (i have deleted it from the registry,from system32
0
 
LVL 10

Author Comment

by:magnetic_kisser
ID: 18067316
Well rpgamesgirl and others .....

I installed Mccafee antivirus suit ,whch includes antispyware,antispam and many other things installed windows and imediatelly scaned for viruses ...till now my windows is working fine ...lets see ...! what heppen next ...the hijackthis log was from the safemode and not in windows mode .........
0
 
LVL 10

Author Comment

by:magnetic_kisser
ID: 18191373
ok .......its time to close the question :)   i knew its late but ......i was short of time !! ................thankz God im free now !!

i istalled ....mccafee 10 ........and my pc is workin fine ....what i have done is , i installed windows and immidately installed Mc cafee and scaned my pc ......around 200 chir.b@mm files with around 100 spywares were found ;) well got rid of each of them and now ...my pc is freeeeeeeee !

thankz to all specially Gamergirl ! ......
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18191424
magnetic kisser,
I didn't get the notifications of all your replies since my last post, sorry I didn't know you posted heaps, I was only notified now that it is closed.

I'm glad you installed McAfee and it's now sorted out.
Thanks!

Merry Christmas! and happy holidays!
0
 
LVL 10

Author Comment

by:magnetic_kisser
ID: 18205065
:) wow ......rpgamergirl :)

i was amazed really that why didnt u responded ......well thankz for the help !! .....
mery chirstmass and sadly i dont have holidays :(
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18205601
magnetic kisser,
No holidays? ....well, that could mean you'll have more money instead! lol.

yeah, I didn't get notifications before, and it is not the first time I've missed notifs on threads that I've already subscribed.
Something must be wrong with my mail server or somewhere.

Anyway, hope you have a Great New Year!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now