Solved

Virus creating a text file at my desktop

Posted on 2008-06-24
14
1,098 Views
Last Modified: 2013-12-09
An unknown virus is creating a text file at my desktop, which is also running process like : cmd.exe, xcopy.exe, reg.exe. the consequences are : it has removed folder option, taskmanager, regedit etc. the most irritating part is that it shuts down the windows after some time (not restart).  if i manage to kill the process like cmd.exe (by enabling it from gpedit.msc) then virus doesnt shuts down the pc or doesnt spread if pen drive is inserted. But when i restart the pc it starts once again.
i have checked drives by doing showing hidden system files and folder where it creats a vbb.exe folder and a autorun.inf file.  
i have checked the process through process viewer from microsoft which show s that cmd.exe process is running under the medeaplayer.exe folder on that process window. which resides in the system32\usmt\       , i have checked maually and i havent got any file like that on that usmt folder.

Help me out...............plz
0
Comment
Question by:saakib
  • 8
  • 6
14 Comments
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21853216
Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs.
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help stop the spread of future infection.


Then show us a Hijackthis log.
Hijackthis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.
Please attach the logfile as "Code Snippet".
0
 

Author Comment

by:saakib
ID: 21854302
Hello

i am sending here the text file of Hijackthis and  a screen shot from process explorer where the process responsible for this is black marked. the process shows it origin at C:\windows\system32\usmt\
but i m not getting any trace there (no existance of those types of file).

one more thing : i just need to clean my pc   ,   affected pendrive has been formatted.

thanks
hijackthis-infected.txt
process-explorer.JPG
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21854910
Fix these entries in Hijackthis:
O4 - HKLM\..\Run: [ABUGCHECK] C:\WINDOWS\system32\usmt\pos.bat  
O4 - HKLM\..\Run: [VBB] C:\WINDOWS\system32\usmt\mediaplayer.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

And delete these files below:
C:\WINDOWS\system32\usmt\pos.bat  
C:\WINDOWS\system32\usmt\mediaplayer.exe


Also try running these tools and show us the logfiles.
1.  Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and attach the contents of the results file "Report.txt" back


2.  download ComboFix to your Desktop, from either of these locations:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
0
 

Author Comment

by:saakib
ID: 21862505
Thanks for your prompt reply. Sorry for late response :-(

FYI: i m not getting any entry like C:\WINDOWS\system32\usmt\mediaplayer.exe
so what can i do ?

Do i need to run those sdfix and combo fix       after fixing through hijackthis ? i dont afford to loose data :-(  i am afraid if anything gose wrong after running those i have no other option rather than suicide (lolz.)

thanks
0
 

Author Comment

by:saakib
ID: 21862566
i have done these following things :
Fix these entries in Hijackthis:
----------------------------------------------------------------------------------------------------------------
O4 - HKLM\..\Run: [ABUGCHECK] C:\WINDOWS\system32\usmt\pos.bat  
O4 - HKLM\..\Run: [VBB] C:\WINDOWS\system32\usmt\mediaplayer.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

And delete these files below:
C:\WINDOWS\system32\usmt\pos.bat  
-----------------------------------------------------------------------------------------------------------------
But the problem is Post.bat is regenerating after restarting computer and those three entries are also re creating in the hijack tool     plz Help.    
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21862638
Fixing entries in Hijackthis alone will not fix the problem, we need to delete those files as well. If you don't want to run SDFix and or Combofix, tell me, is your System Restore turned on?
If so, then try rolling back to a date before this has happened. Try System Restore back to a date before you got infected.

Start > All Programs > Accessories > System Tools > System Restore
then choose a restore point before you got infected and we'll start from there.
0
 

Author Comment

by:saakib
ID: 21862677
Thnks for your reply.
Sorry i dont hav system restore enabled. i m not getting the mediaplayer.exe file to delete.
pos.bat is re creating after deletation.
if u can assure me that nothing will happen in my os after Sdfix and combofix i can Try :-(
plz let me know the steps to be taken.

Regards.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21862764
SDFix.exe and Combofix.exe are very reliable tools and I've used them many times and suggested their use many times, but I can not guarantee that things will go as smoothly as always, so you must use these tools at your own risk.

Try deleting those files in Safe Mode,
then run an online scan afterwards. I'm sorry but I can't assure you that everything will be okay as sometimes things can happen when running any scanners.
0
 

Author Comment

by:saakib
ID: 21862825
**Try deleting those files in Safe Mode, the whole folder C:\WINDOWS\system32\usmt **

Did u mean the entire USMT folder..........will it recreate autometically after os being restarted ??
i dont think that OS will start properly with out this folder and those files inside it.
could u plz explain.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21862882
Sorry, no not the whole folder.... maybe use a third party tool like Killbox to delete those files at reboot.
0
 

Author Comment

by:saakib
ID: 21863020
OK i will get back to u ..after trying things....
0
 

Author Comment

by:saakib
ID: 21893215
Hey Dear,
Sorry for Late response.!!    :-(
i had gone through all the procedure regarding sdfix and combo fix.....................Yahooooooooooo it seems its alright now.......plz check the attachment log files after fixing and let me know if nything further is required to be done..............

Thank you very much....:-)
regards
combofix-log.txt
hijackthis-29-06.txt
sdfix.txt
0
 

Author Comment

by:saakib
ID: 21952144
Ok i have got the answer of my question  and the full credit goes to "rpggamergirl"
Thanks a lot for ur nice support.

Admin plz close this question i hav got my solution.

Thnx
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 125 total points
ID: 21955272
saakib,
Please close the question(if problem is solved) you don't need the Admins to close it for you, just click on the "Accept this Solution" button in any of my comments that helped you, thanks!

Looking at the logs:
D:\vbb.exe
C:\WINDOWS\system32\usmt\mediaplayer.exe
C:\WINDOWS\system32\usmt\vbb.exe
The above files showing in the logs, whether they still exist or already gone.
Check to make sure they're gone, they're hidden so you need to show hidden files and folder first.

It was a flash_drive infection, so you might like to consider running Flash_Disinfector also. The tool creates a harmless "autorun.inf' in each partition to stop further spread of future flash-drive infection.
Download and run this tool and follow the prompts:
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now