Link to home
Start Free TrialLog in
Avatar of saakib
saakib

asked on

Virus creating a text file at my desktop

An unknown virus is creating a text file at my desktop, which is also running process like : cmd.exe, xcopy.exe, reg.exe. the consequences are : it has removed folder option, taskmanager, regedit etc. the most irritating part is that it shuts down the windows after some time (not restart).  if i manage to kill the process like cmd.exe (by enabling it from gpedit.msc) then virus doesnt shuts down the pc or doesnt spread if pen drive is inserted. But when i restart the pc it starts once again.
i have checked drives by doing showing hidden system files and folder where it creats a vbb.exe folder and a autorun.inf file.  
i have checked the process through process viewer from microsoft which show s that cmd.exe process is running under the medeaplayer.exe folder on that process window. which resides in the system32\usmt\       , i have checked maually and i havent got any file like that on that usmt folder.

Help me out...............plz
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs.
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help stop the spread of future infection.


Then show us a Hijackthis log.
Hijackthis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.
Please attach the logfile as "Code Snippet".
Avatar of saakib
saakib

ASKER

Hello

i am sending here the text file of Hijackthis and  a screen shot from process explorer where the process responsible for this is black marked. the process shows it origin at C:\windows\system32\usmt\
but i m not getting any trace there (no existance of those types of file).

one more thing : i just need to clean my pc   ,   affected pendrive has been formatted.

thanks
hijackthis-infected.txt
process-explorer.JPG
Fix these entries in Hijackthis:
O4 - HKLM\..\Run: [ABUGCHECK] C:\WINDOWS\system32\usmt\pos.bat  
O4 - HKLM\..\Run: [VBB] C:\WINDOWS\system32\usmt\mediaplayer.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

And delete these files below:
C:\WINDOWS\system32\usmt\pos.bat  
C:\WINDOWS\system32\usmt\mediaplayer.exe


Also try running these tools and show us the logfiles.
1.  Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and attach the contents of the results file "Report.txt" back


2.  download ComboFix to your Desktop, from either of these locations:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Avatar of saakib

ASKER

Thanks for your prompt reply. Sorry for late response :-(

FYI: i m not getting any entry like C:\WINDOWS\system32\usmt\mediaplayer.exe
so what can i do ?

Do i need to run those sdfix and combo fix       after fixing through hijackthis ? i dont afford to loose data :-(  i am afraid if anything gose wrong after running those i have no other option rather than suicide (lolz.)

thanks
Avatar of saakib

ASKER

i have done these following things :
Fix these entries in Hijackthis:
----------------------------------------------------------------------------------------------------------------
O4 - HKLM\..\Run: [ABUGCHECK] C:\WINDOWS\system32\usmt\pos.bat  
O4 - HKLM\..\Run: [VBB] C:\WINDOWS\system32\usmt\mediaplayer.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

And delete these files below:
C:\WINDOWS\system32\usmt\pos.bat  
-----------------------------------------------------------------------------------------------------------------
But the problem is Post.bat is regenerating after restarting computer and those three entries are also re creating in the hijack tool     plz Help.    
Fixing entries in Hijackthis alone will not fix the problem, we need to delete those files as well. If you don't want to run SDFix and or Combofix, tell me, is your System Restore turned on?
If so, then try rolling back to a date before this has happened. Try System Restore back to a date before you got infected.

Start > All Programs > Accessories > System Tools > System Restore
then choose a restore point before you got infected and we'll start from there.
Avatar of saakib

ASKER

Thnks for your reply.
Sorry i dont hav system restore enabled. i m not getting the mediaplayer.exe file to delete.
pos.bat is re creating after deletation.
if u can assure me that nothing will happen in my os after Sdfix and combofix i can Try :-(
plz let me know the steps to be taken.

Regards.
SDFix.exe and Combofix.exe are very reliable tools and I've used them many times and suggested their use many times, but I can not guarantee that things will go as smoothly as always, so you must use these tools at your own risk.

Try deleting those files in Safe Mode,
then run an online scan afterwards. I'm sorry but I can't assure you that everything will be okay as sometimes things can happen when running any scanners.
Avatar of saakib

ASKER

**Try deleting those files in Safe Mode, the whole folder C:\WINDOWS\system32\usmt **

Did u mean the entire USMT folder..........will it recreate autometically after os being restarted ??
i dont think that OS will start properly with out this folder and those files inside it.
could u plz explain.
Sorry, no not the whole folder.... maybe use a third party tool like Killbox to delete those files at reboot.
Avatar of saakib

ASKER

OK i will get back to u ..after trying things....
Avatar of saakib

ASKER

Hey Dear,
Sorry for Late response.!!    :-(
i had gone through all the procedure regarding sdfix and combo fix.....................Yahooooooooooo it seems its alright now.......plz check the attachment log files after fixing and let me know if nything further is required to be done..............

Thank you very much....:-)
regards
combofix-log.txt
hijackthis-29-06.txt
sdfix.txt
Avatar of saakib

ASKER

Ok i have got the answer of my question  and the full credit goes to "rpggamergirl"
Thanks a lot for ur nice support.

Admin plz close this question i hav got my solution.

Thnx
ASKER CERTIFIED SOLUTION
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial