Poison MP3 French Worm

[t louise]

Hello,
I hope you can help me

The other day my friend used my computer to print out a file, and she must have given me a worm/virus/trojan. After trying many solutions and finally getting a few clues in french where the worm/virus was mucking up my computer, I think this is something French, that destroyed my MP3 files. See below the detail on the problems. I'm using Windows XP, 2002 version.

There were several symptoms:
1. This popup error box appears shortly after computer startup: "Windows - No Disk Exception Processing Message c0000013 Parameters 75b6bf9c 75b6bf9c 75b6bf9c" with three options "Cancel", "Try Again" or "Continue". Clicking on any of the options does not make the box disappear, and the box appears on top of all windows.

2. Concurrently with this error, the Task Manager is disabled. When I press control+alt+delete, i see 5 of the 6 usual options available, but
task manager is greyed out and cannot be selected.

3. When these issues were fixed above last week (perhaps through Ad Aware or Spybot), I then could not open the c: drive disc by double clicking it. When I right-clicked it, instead of seeing "open" as the first option, it said "ouvrir" (french for open).

4. Internet Explorer keeps encountering errors and has to close. (I'm not sure this is related to anything above, it's just happening more than usual since the above occurred).

I have tried for several days to fix problems #1-3 myself without bothering you fine folks, but the solutions on the internet are quite varied and none have worked. I have uninstalled Quicktime, I have checked for viruses and trojans and done complete system checks, outside and inside Safe Mode (Ad Aware, Spybot Search & Destroy, CCleaner, AVG). I think these virus checks might have gotten rid of it temporarily last week, but it came back today. I made it through many of your recommended fixes (preliminary removal instructions for viruses/spyware/malware) and it didn't find many things. Although several programs seemed to be blocked from downloading -- spybot S&D wouldn't download properly, Trend Micro Housecall wouldn't scan, Ad-Aware 2007 wouldn't work (although the prior version would and found a few registry errors but that's it). These programs found nothing: CClean, Panda Antirootkit, SmitFraud or Vundofix or virtomundobegone.

However after trying many things, I saw that when some of this software was being registered, a french date came up (01 Avril 2007) and the username "Poison MP3". Separately, when I right clicked my hard drive to see the specs, these names had replaced my name as the owner of my computer. I searched the web ("poison mp3" and "01 avril 2007"), it came up with one french posting about this, saying this was a WORM that deleted all MP3 files and COM files on the computer, regardless of whether they were pirated. Sure enough, I checked my music files and the MP3 files are gone, but the windows player files remained. And the symptoms fit. it apparently disables the registry files and the control panel eventually. This web article said that this program masquerades as the software AnyDVD 5.1.0.1 and places itself in default download folder of emule, and software Sophos (?) fixes it?

I believe the only solution now is to use system restore -- i had been putting that off until finding out how bad the problem was. So my question is: is this the best solution, system restore? And if so, should i do this in safe mode since the virus/worm is still on my computer (I cannot get rid of it although i haven't done the Combofix.exe yet). Also I'm afraid that the worm is on my portable media drives -- USB drives that are 2GB and a couple 100-200 GB drives. Is this possible, and how do i get rid of it on there?

Please I would appreciate any help. Thank you!!

 

[evilfantasy]

If your system is infected. Read this before deciding whether to CLEAN or REFORMAT.

Then if you should wish to proceed with cleaning your system you need to go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HijackThis (HJT), Combofix, and AVG Antispyware logs as ATTACHMENTS into this thread, only after doing the above.
We also need to know the result of Panda Antirootkit.

 

[t louise]

---------------------------------------------------------

I executed the Viruses/Spyware/Malware, preliminary removal instructions. Attached are the 3 logs. The Panda Antirootkit didn't find anything.

When I was in safe mode just before i reboot/ran the HJT, I found that "autorun.inf" and "autorun.exe" files were on my C: drive root as well as on all my other drives' roots (4 other drives), so I deleted them and emptied the trash while in safe mode. The virus software was not detecting them. I think these are the source or a symptom of the virus/worm.

I believe the logs are attached.
Thank you again
-tlouise

----------------------------------------------------------------

 

[evilfantasy]

You are running two antivirus, this is unnecessary and can cause problems. Pick one and uninstall the other.

----------

Open HijackThis and select Do a system scan only then place a check mark next to:

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)

Close all windows and click Fix checked

----------

Delete these files/folders, as follows:

* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

Folder::
C:\VundoFix Backups
C:\AutoRun.inf

File::
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\WS2Fix.exe

* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

----------

Next post please attach
combofix log
New HijackThis log

 

[t louise]

OK -- will do.

Quick question -- what are the two antivirus progs i'm running? I know McAfee -- but Windows is saying that this is out of date, thus i downloaded others. Is McAfee OK even if windows is saying its out of date? Would you recommend AVG instead, or other?

Is windows defender an antivirus? or is AVG anti-spyware? or virusscan console?

sorry so basic,
thx

 

[evilfantasy]

Windows Defender - Antispyware
There are AVG Anti-Spyware 7.5 and AVG Antivirus

Uninstall McAfee, without updates it is worthless.

Once McAfee is uninstalled make sure the AVG Antivirus is up to date.

 

[t louise]

When I try to install AVG antivirus, and the window comes up "Personalize AVG", the username information comes up automatically filled with the french stuff (which was the clue I found earlier regarding the worm/virus) so I'm afraid the installation is corrupted--

Username: 01 Avril 2007
Company: Poison mp3
License/Sales Number: a very long number

Should I not finish this AVG antivirus product installation or does this not matter?

Moreover, when I click "my computer" properties, it says the computer is registered to the 01 Avril 2007 and poison mp3 with the number
55274-OEM-0046524-44016

 

[t louise]

Here are the revised HJT and combofix logs after the last things you told me to.
i have also installed avast! antivirus and uninstalled mcafee.

 

[evilfantasy]

When I try to install AVG antivirus, and the window comes up "Personalize AVG"

Sounds like you are installing the paid version. Avast! is just fine, I use it.

----------

the computer is registered to the 01 Avril 2007 and poison mp3

I don't know how that happened. I will look into it.

----------

Open HijackThis and select Do a system scan only then place a check mark next to:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

Close all windows except for HijackThis and click Fix checked

----------

Please download ATF Cleaner by Atribune. ATF Cleaner.exe

Make sure that all browser windows are closed.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All and UNCHECK Cookies.
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All and UNCHECK Cookies.
• Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All and UNCHECK Cookies.
• Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

----------

Run this online scan. Requires Internet Explorer

Use the ESET Nod32 Online Scanner
1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Attach the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply

----------

Download Superantispyware (SAS) SUPERAntispyware Free Edition

Install it and double-click the icon on your desktop to run it.
* It will ask if you want to Update the program definitions, click Yes.
* Under Configuration and Preferences, click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked:

• Close browsers before scanning
• Scan for tracking cookies
• Terminate memory threats before quarantining.
• Please leave the others unchecked.
• Click the Close button to leave the control center screen.

* On the main screen, under Scan for Harmful Software click Scan your computer.
* On the left check C:\Fixed Drive.
* On the right, under Complete Scan, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK.
* Make sure everything in the white box has a check next to it, then click Next.
* It will quarantine what it found and if it asks if you want to reboot, click Yes.
* To retrieve the removal information please do the following:

• After reboot, double-click the SUPERAntiSpyware icon on your desktop.
• Click Preferences. Click the Statistics/Logs tab.
• Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
• It will open in your default text editor (such as Notepad/Wordpad).
• Save the notepad file to your desktop by clicking (in notepad) "File" "Save As"

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
* Please add the log as an attachment along with a new HijackThis log in the next post.

----------

Next post please attach
ESET Scan Log
SUPERAntiSpyware Log
New HijackThis Log

----------

For the USB Drive.

Download this tool: Flash_Disinfector.exe by sUBs

Plug in the flash drive and double click on Flash Disinfector to run.

 

[t louise]

Hello
here are the 3 reports -- ESET scan log, Superantispyware log, and the HJT log. what do you see?

The USB search took like 2 seconds, and added a hidden file folder onto my USB drive called "autorun.inf" -- is this right?

t louise

 

[evilfantasy]

Yes, the disinfector adds the autorun.inf. You can delete it if you like.


The logs look fine. How is everything running now?

 

[t louise]

The computer seems to be running fine, nothing visibly wrong with its performance today.

However, when I right click my computer for "properties" the computer is still registered to "01 avril 2007 poison mp3". This is the same name/info that appears automatically since i was infected with the virus, via an autofill function -- when the computer asks for information -- for instance to register software, or something like that. It has happened several times now via autofill, in addtion to being the apparent "registrant" of my computer.

How do I ensure that the autofill function is not corrupt, and how can i manually change this registration info bacK to me?

thank you so much for your help -- this is incredible
-tlouise

 

[evilfantasy]

I'm not sure i would trust whatever it was you were using. Do you mean a form filler?

Safe form fill software. AI RoboForm https://www.techspot.com/downloads/4-ai-roboform.html

How Do I Change The Registered Owner Name In Windows XP http://xphelpandsupport.mvps.org/how_do_i_change_the_registered_o.htm

 

[t louise]

Hi,
This morning when I booted on the computer, the box appeared that said "No Disk -- Exception Processing Message " etc. etc. that started this whole thing -- my first symptom of a problem. However when I clicked it it went away (unlike last week when it would not go away).

My computer is still registered to this varmint 01 Avril.

But I also noticed that all my sounds are missing. My sound is working, but there is only one beep. When I went into control panel sounds, it appears that the windows sounds are missing from the system root/media or something.

Also when I tried to access my Blackberry internet account (an online feature) I could not get pass the password page on Internet Explorer (the page would not accept the correct username/password), but i could get through on Mozilla. Does this mean something?

Regarding the "form filler" -- I'm not sure what it's called, and I don't use it or do it on my computer (so i'm not going to download the RoboForm) -- unless this Roboform is to prevent against hijacking software registration? But apparently this "01 Avril 2007" code is being automatically entered into software being registered, and on my computer registry (as the registrant). That's what I mean. How else would this info be entered into the software?

If this bug is in the registry, is there a way to find it??
Thanks again for your help, sorry this is not 100% resolved.
-t louise

 

[evilfantasy]

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Attach the contents of main.txt in your post.
5. Please also attach extra.txt to your post.

What DSS will do:

* Create a new System Restore point in Windows XP and Vista.
* Clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
* Check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.


C:\Deckard\System Scanner\extra.txt

 

[t louise]

here are the deckards system scanner logs

 

[t louise]

I just looked in my music files, and it appears they have all been erased -- mp3 as well as windows media player files. so i believe this is related to why all my windows sounds are gone. and when i had searched the internet for this problem, the poison mp3 thing came up, saying that it erased all music files, even if not pirated. (these were all my own music files downloaded from CDs).

if we do system restore to the day before this virus came, can we restore all these problems, notably the music which has been wiped off my computer as well as the portable external storage drive that was connected to my computer?

I should also say that i have my music files backed up, as well as most of my other files, although it's a pain to reload them given the work i have done since the backup (11/25).

thx

 

[momok]

System Restore will not recover those files, as it only tracks changes to core system files.

 

[t louise]

RE: solving this worm problem, i searched the web and it appears Sophos software detects this worm, so I'm trying that now. Sophos also lists details about the worm, located at (although not sure i can link yet)
http://www.sophos.com/virusinfo/analyses/w32nopirb.html

They call it the W32 Nopir B worm.

OK RE: system restore. Didn't know that.

Will keep you updated

 

[t louise]

Sophos antivirus software indeed detected a worm and deleted it -- W32/Silly FD-TT worm. Elements of the worm were present in my Cdrive registry key and in system volume information, and in windows\system32\restore, and elements were also on all my external hard drives.

I've done several additional scans of my system since the worm was detected, all are now clean.

Thanks for all your help, :approve:
-t louise