Avatar of bevtech
bevtech asked on

Multiple Pcs Infected with a virus/malware that creates bs.exe in c:\

We are having major problems with several machines that are creating the bs.exe file that AVG 8.0 sees as killAV.KR which avg will delete however it gets recreated.  We have used combo fix , spybot search and destroy but nothing will help us find the cause of the problem.  So I am looking for suggestions to find the source of the creation of bs.exe??  All help is appreacited..:)
OS SecurityWindows XPAnti-Spyware

Avatar of undefined
Last Comment
rpggamergirl

8/22/2022 - Mon
orangutang

ASKER
bevtech

oh yes I am sorry I should have included that when I posted the question
hijackthis.log
SOLUTION
orangutang

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
bevtech

Ok what would be the easiest way to check for hidden autoruns.infs??
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
orangutang

Oh, play, never mind.
ASKER
bevtech

well I ran combo fix on the machine and it still creates the file.  The only thing that stuck out on that log was a svr32.exe that was listed in mount points that i deleted the references to in the registry.. I will include the combofix.txt so you can have a look at it see if you can see anything standing out..:)
ComboFix.txt
orangutang

Oops, I meant "okay" not "play" :)
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
bevtech

Completed but still have the BS.EXE being created
ASKER
bevtech

Here is the combofix log again i kept out the deleted files because there are pages of them that were under the owner!   The SRV32.exe seems to be odd and it is attaching itself to the recycling bin??  Hmm I know i deleted the once already
ComboFix2.txt
ASKER
bevtech

I might have found the solution..  It seems that combofix does not label by any version number.  I downloaded a version from major geeks ran it and it deleted a bunch of ini's and other files and so far I am not having a bs.exe being created..:)
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER
bevtech

Thanks for all the help too bad I can not award myself some points because I found the complete solution..:)
rpggamergirl

When we ask the user to scan the system with Combofix we always give the most updated version --> http://download.bleepingcomputer.com/sUBs/ComboFix.exe
I just looked at the header of your first combofix log and that was last year's version of combofix,(I should've checked it) a lot has been happening with the CF tool since then. I think at that time a CF-Do function was used instead of CFScript.
You can not keep a combofix for any length of time as the author updates its tool very often, you need to get rid of it after its use(when the Helper asks you to uninstall it) which means after your pc is clean.
You could mess up your system by using and older version if a new variant of malware that interfers combofix is present in the system .

So, is that the latest combofix log that you just posted?(header is missing)
some bad reg entries are still showing there.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      msv1_0 C:\WINDOWS\system32\khfFXoMd

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e71485fb-26d8-11dd-b262-0013108407a9}]

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\srv32.exe
ASKER
bevtech

The machines are all fixed not creating any more bs.exe..  I think the infs were the cause of the creation of svr32.exe and the bs.exe.    Must be a newer type of malware infection starting to show up on pcs.  I will keep in mind ot update combofix at least once a week.    Once a ran the newest combofix the creation of bs.exe stopped.  I will however keep an eye for other versions of this malware because I am sure they will exist soon if they are not  in existance..:)
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
rpggamergirl

Glad to know it's been resolved.
For safety reasons please uninstall Combofix, the backup of bad files will also be gone.
Go to Start > Run and copy and paste next command in the field:

ComboFix /u

The procedure will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.