System Security Virus

Benzino

Hey, my brother has gotten the system security virus on his laptop and gave it to me to try and remove. And well, i have never seen anything like it before

It has the usual stuff like changed desktop wallpaper, tells the user their system is infected and to buy such and such a program to remove it etc.

However it seems to have pretty much taken over the whole computer. It has changed the admin rights on it (which I can't change back) and now I can't install any program. I downloaded one of the anti-spyware programs listed in the sticky but as soon as I go to install it, a message pops up saying I do not have the rights to install it, even in safe mode

Also it won't let me run any programs, instead a system message in the bottom right corner says that the "program.exe" is infected. I can't open the task manager as a result I can just about browse the internet, but notice that when i go to download some anti-virus/spyware software IE just closes straight away. Furthermore, it no longer detects usb devices (tho this may not be due to the virus).

There is no existing anti-virus or spyware software on the computer that I can use either. The OS is XP.

Anyone have any advice, thanks

RoadKillTs

Nasty one allright. You could download MalwareBytes and then re-boot into Safe mode. Then install the app and run a scan.

Benzino

Every time i try to download that IE crashes I did manage to download another anti-spyware software but it won't let me install it, even if I am logged in as administrator in safe mode

ActorSeeksJob

hi

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   • Tools->Options->Main tab
   • Set to "Always ask me where to Save the files".
2. During the download, rename Combofix to Combo-Fix as follows:
   
   
   
   
   
   
3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

   ---

   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

     ---

   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

   ---

7. Double click on combo-Fix.exe & follow the prompts.
8. When finished, it will produce a report for you.
9. Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Benzino

Hey, thanks for that. I had to run it in safe mode, but it seems to have removed the virus! thanks!

I have attached the log file to this post.

ActorSeeksJob

no need to attach the logs

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\11594efdb787bc16e404d6a8053a6f6b.TMP
c:\windows\system32\10421b0c108dc606e65f31cf49866aea.TMP
c:\windows\system32\fccfbdcacb.dll
c:\windows\system32\ceebdbbbdaa.dll
c:\windows\18F43F6828B35987F457C944516A1A9.exe

Rootkit::
c:\windows\system32\a0f5d66796192e9fa2dec6caee03e98b.sys
c:\windows\system32\_a0f5d66796192e9fa2dec6caee03e98b.sys_.vir

Driver::
a0f5d66796192e9fa2dec6caee03e98b

KillAll::

Folder::
C:\found.000

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Please download Navilog1 by IL-MAFIOSO:
http://pagesperso-orange.fr/il.mafioso/Navifix/Navilog1.exe
(*Alternate download location Here)

* Save it to your Desktop.
* Double-click on Navilog1.exe to install the program.
* When the installation is complete, the tool will start automatically.
* If it doesn't start automatically, please double-click on the Navilog1 shortcut on your Desktop to run it.
* Press E for English from the language Menu.
* Type 1 in the next Menu to select Search and press Enter.
* Wait for the Scan to finish (It may take a reasonable amount of time).
* Press any key as requested .
* A new document will be produced: fixnavi.txt.
* Please copy/paste the contents of this report in your next reply.

The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt". (usually C:\fixnavi.txt)

Benzino

I have attached the ComboFix.txt has it's very big and took up must of the page which im sure the mods wouldn't be pleased about :P

There was no fixnavi.txt produced, but there was a cleannavi.txt file.

cleannavi.txt:

Fix Navipromo version 4.0.1 began on 22/07/2009 13:59:47.28

!!! Warning, this report may include legitimate files/programs!!!
!!! Post this report on the forum you are being helped !!!

Fix running from C:\Program Files\navilog1

Updated on 18.07.2009 at 11h00 by IL-MAFIOSO

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 2
X86-based PC ( Uniprocessor Free : AMD Turion(tm) 64 Mobile Technology ML-37 )
BIOS : Ver 1.00PARTTBL
USER : <snip> ( Administrator )
BOOT : Normal boot


C:\ (Local Disk) - NTFS - Total:93 Go (Free:46 Go)
\ (CD or DVD)


Search done in normal mode

Cleanning stage done on Reboot

Cleaning of C:\WINDOWS\Temp done !
Cleaning of C:\Documents and Settings\<snip>\locals~1\Temp done !

*** Copy Registry to Safebackup folder ***

Backing up Registry done !

*** Cleaning Registry ***

Nettoyage Registre Ok

Electronic-Group Certificate deleted !
OOO-Favorit Certificate deleted !

*** Suspicious Files not deleted by Navilog1 ***
!! Possible legitimate files, must be checked before deleting !!

Suspicious Files in "C:\WINDOWS\system32" :

cukkwa.exe found !
xjhoihp.exe found !

*** Scan completed 22/07/2009 14:14:44.68 ***

Thanks for all the help.

ActorSeeksJob

don't attach this one please

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\program files\DeIsL1.isu
c:\program files\Bpm.set
c:\windows\system32\a0f5d66796192e9fa2dec6caee03e98b.sys
C:\WINDOWS\system32\cukkwa.exe
C:\WINDOWS\system32\xjhoihp.exe
Driver::
a0f5d66796192e9fa2dec6caee03e98b

KillAll::

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Benzino

Thanks for all your help. My brother has taken the laptop back with him, I will do the above as soon as I can get my hands on it again