Virus creating a text file at my desktop

Posted on 2008-06-24
Last Modified: 2013-12-09
An unknown virus is creating a text file at my desktop, which is also running process like : cmd.exe, xcopy.exe, reg.exe. the consequences are : it has removed folder option, taskmanager, regedit etc. the most irritating part is that it shuts down the windows after some time (not restart).  if i manage to kill the process like cmd.exe (by enabling it from gpedit.msc) then virus doesnt shuts down the pc or doesnt spread if pen drive is inserted. But when i restart the pc it starts once again.
i have checked drives by doing showing hidden system files and folder where it creats a vbb.exe folder and a autorun.inf file.  
i have checked the process through process viewer from microsoft which show s that cmd.exe process is running under the medeaplayer.exe folder on that process window. which resides in the system32\usmt\       , i have checked maually and i havent got any file like that on that usmt folder.

Help me out...............plz
Question by:saakib
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
LVL 47

Expert Comment

ID: 21853216
Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs.
and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this will help stop the spread of future infection.

Then show us a Hijackthis log.

Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.
Please attach the logfile as "Code Snippet".

Author Comment

ID: 21854302

i am sending here the text file of Hijackthis and  a screen shot from process explorer where the process responsible for this is black marked. the process shows it origin at C:\windows\system32\usmt\
but i m not getting any trace there (no existance of those types of file).

one more thing : i just need to clean my pc   ,   affected pendrive has been formatted.

LVL 47

Expert Comment

ID: 21854910
Fix these entries in Hijackthis:
O4 - HKLM\..\Run: [ABUGCHECK] C:\WINDOWS\system32\usmt\pos.bat  
O4 - HKLM\..\Run: [VBB] C:\WINDOWS\system32\usmt\mediaplayer.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

And delete these files below:

Also try running these tools and show us the logfiles.
1.  Download SDFix and save it to your desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and attach the contents of the results file "Report.txt" back

2.  download ComboFix to your Desktop, from either of these locations:

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.


Author Comment

ID: 21862505
Thanks for your prompt reply. Sorry for late response :-(

FYI: i m not getting any entry like C:\WINDOWS\system32\usmt\mediaplayer.exe
so what can i do ?

Do i need to run those sdfix and combo fix       after fixing through hijackthis ? i dont afford to loose data :-(  i am afraid if anything gose wrong after running those i have no other option rather than suicide (lolz.)


Author Comment

ID: 21862566
i have done these following things :
Fix these entries in Hijackthis:
O4 - HKLM\..\Run: [ABUGCHECK] C:\WINDOWS\system32\usmt\pos.bat  
O4 - HKLM\..\Run: [VBB] C:\WINDOWS\system32\usmt\mediaplayer.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

And delete these files below:
But the problem is Post.bat is regenerating after restarting computer and those three entries are also re creating in the hijack tool     plz Help.    
LVL 47

Expert Comment

ID: 21862638
Fixing entries in Hijackthis alone will not fix the problem, we need to delete those files as well. If you don't want to run SDFix and or Combofix, tell me, is your System Restore turned on?
If so, then try rolling back to a date before this has happened. Try System Restore back to a date before you got infected.

Start > All Programs > Accessories > System Tools > System Restore
then choose a restore point before you got infected and we'll start from there.

Author Comment

ID: 21862677
Thnks for your reply.
Sorry i dont hav system restore enabled. i m not getting the mediaplayer.exe file to delete.
pos.bat is re creating after deletation.
if u can assure me that nothing will happen in my os after Sdfix and combofix i can Try :-(
plz let me know the steps to be taken.

LVL 47

Expert Comment

ID: 21862764
SDFix.exe and Combofix.exe are very reliable tools and I've used them many times and suggested their use many times, but I can not guarantee that things will go as smoothly as always, so you must use these tools at your own risk.

Try deleting those files in Safe Mode,
then run an online scan afterwards. I'm sorry but I can't assure you that everything will be okay as sometimes things can happen when running any scanners.

Author Comment

ID: 21862825
**Try deleting those files in Safe Mode, the whole folder C:\WINDOWS\system32\usmt **

Did u mean the entire USMT folder..........will it recreate autometically after os being restarted ??
i dont think that OS will start properly with out this folder and those files inside it.
could u plz explain.
LVL 47

Expert Comment

ID: 21862882
Sorry, no not the whole folder.... maybe use a third party tool like Killbox to delete those files at reboot.

Author Comment

ID: 21863020
OK i will get back to u ..after trying things....

Author Comment

ID: 21893215
Hey Dear,
Sorry for Late response.!!    :-(
i had gone through all the procedure regarding sdfix and combo fix.....................Yahooooooooooo it seems its alright now.......plz check the attachment log files after fixing and let me know if nything further is required to be done..............

Thank you very much....:-)

Author Comment

ID: 21952144
Ok i have got the answer of my question  and the full credit goes to "rpggamergirl"
Thanks a lot for ur nice support.

Admin plz close this question i hav got my solution.

LVL 47

Accepted Solution

rpggamergirl earned 125 total points
ID: 21955272
Please close the question(if problem is solved) you don't need the Admins to close it for you, just click on the "Accept this Solution" button in any of my comments that helped you, thanks!

Looking at the logs:
The above files showing in the logs, whether they still exist or already gone.
Check to make sure they're gone, they're hidden so you need to show hidden files and folder first.

It was a flash_drive infection, so you might like to consider running Flash_Disinfector also. The tool creates a harmless "autorun.inf' in each partition to stop further spread of future flash-drive infection.
Download and run this tool and follow the prompts:

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question