Random Sound Virus

[stevebeans]

Hey everyone, I seem to be having an issue lately with my computer. Here are the symptoms:

1. Random loss of focus on whatever window I'm on
2. Random pop-up window
3. Random sound saying something "Congratulations, you have won blah blah"
4. Random beeping, almost like a radar

Now it's very clear the .exe in my task manager has something to do with it. It's called FgUsg3yh.exe However, that's also clear it's just a file the real hidden virus creates because I can stop it, delete it from registry, run virus tests on it, etc but it still comes back.

I ran the steps in the other thread, so here are my log files.

the Hickjack this log was just after reboot after I ran another scan, so I don't see the .exe there, but I won't be surprised if it shows up within 15 mins.

Anyway, any help with this would be extremely appreciated. trying to do whatever I can before I am forced to format. Thanks!

 

[momok]

Your mbam log shows some entries to be 'delete on reboot' have you rebooted?

Please fix these entries in HJT:
O1 - Hosts: 83.143.81.174 eq2i.com
O1 - Hosts: 83.143.81.174 www.eq2i.com192.168.1.102 HP0018715D065A

I see no sign of FgUsg3yh.exe in your HijackThis log. Is it still there?
We may need to use combofix for this cleaning. Have it downloaded from here first

 

[stevebeans]

Hey there, thanks for the reply.

I removed the eq2i.com entry, used the combofix.exe and rebooted. However, in my system32 folder I can still see the uIHSG5gi.exe and FgUsg3yh.exe files probably just waiting for their calls to activate.

I'll post in a few hours if I don't get a random sound, or the file never loads, but I'm fully expecting it to When it does, I'll do a new log from HJT and post it. Thanks!

I was actually semi-hopeful, but it's back. Ugh

I ran combofix btw, that's what made me hopeful because it took awhile for that file to get re-launched after reboot. But it's back and I'm back to being clueless

Does anyone even know the name of this virus/trojan

 

[momok]

Hi since you ran Combofix could you post that log here?
Doubt this trojan has been named. Such variants often create randomly named exes on the system. I've seen plenty of these variants around; they're pretty common in malware infections. Combofix is usually great for targetting these infections.

 

[stevebeans]

Hey there. So, last night I ran combofix again, then went into the system32 folder and deleted the .exe file and the .dll file that remained (for some reason not deleted after combofix ran).

So far it's yet to return, and I have shut down my computer since then, so a fresh start has not brought them back. We'll see how long it lasts though

So far so good. So when should I feel comfortable enough to change my passwords knowing I'm not infected any more?

 

[momok]

Hi,

Your system is pretty badly infected, and for quite some time already.

Combofix doesn't remove them automatically. The reason why I said its useful because such malware variants tend to keep recreating themselves and spawning in different areas of the system under different names, making it highly difficult for detection. (you'll see from the instructions below)

Combofix, in that sense shows the newly created files and allows people like us to help you delete them successfully.

Please ensure your Combofix executable is downloaded on desktop before you execute these instructions:

Please temporarily disable SpyBot's teatimer function(in your windows system tray bottom right) before you commence with the following instructions.

1. Open notepad and copy/paste the text in the code box below into it:
   
   

   File::
   c:\temp\ComboFix.exe
   c:\windows\imsins.BAK
   c:\temp\IE7-WindowsXP-x86-enu.exe
   c:\windows\system32\FgUsg3yh.exe
   c:\windows\system32\XOL
   c:\temp\RootkitRevealer.exe
   c:\temp\setupeng.exe
   c:\temp\aaw2008.exe
   c:\windows\system32\uIHSG5gi.exe
   c:\temp\iTunes801Setup.exe
   c:\temp\FrontOfficeFootball2007.exe
   c:\windows\inf\UpdateUSB.exe
   c:\windows\Tasks\At1.job
   c:\windows\Tasks\At10.job
   c:\windows\Tasks\At11.job
   c:\windows\Tasks\At12.job
   c:\windows\Tasks\At13.job
   c:\windows\Tasks\At14.job
   c:\windows\Tasks\At15.job
   c:\windows\Tasks\At16.job
   c:\windows\Tasks\At17.job
   c:\windows\Tasks\At18.job
   c:\windows\Tasks\At19.job
   c:\windows\Tasks\At2.job
   c:\windows\Tasks\At20.job
   c:\windows\Tasks\At21.job
   c:\windows\Tasks\At22.job
   c:\windows\Tasks\At23.job
   c:\windows\Tasks\At24.job
   c:\windows\Tasks\At3.job
   c:\windows\Tasks\At4.job
   c:\windows\Tasks\At49.job
   c:\windows\Tasks\At5.job
   c:\windows\Tasks\At50.job
   c:\windows\Tasks\At51.job
   c:\windows\Tasks\At52.job
   c:\windows\Tasks\At53.job
   c:\windows\Tasks\At54.job
   c:\windows\Tasks\At55.job
   c:\windows\Tasks\At56.job
   c:\windows\Tasks\At57.job
   c:\windows\Tasks\At58.job
   c:\windows\Tasks\At59.job
   c:\windows\Tasks\At6.job
   c:\windows\Tasks\At60.job
   c:\windows\Tasks\At61.job
   c:\windows\Tasks\At62.job
   c:\windows\Tasks\At63.job
   c:\windows\Tasks\At64.job
   c:\windows\Tasks\At65.job
   c:\windows\Tasks\At66.job
   c:\windows\Tasks\At67.job
   c:\windows\Tasks\At68.job
   c:\windows\Tasks\At69.job
   c:\windows\Tasks\At7.job
   c:\windows\Tasks\At70.job
   c:\windows\Tasks\At71.job
   c:\windows\Tasks\At72.job
   c:\windows\Tasks\At8.job
   c:\windows\Tasks\At9.job
   
   Folder::
   c:\documents and settings\NetworkService\Application Data\Viewpoint
   c:\temp\maleware
   c:\windows\system32\config\systemprofile\Application Data\Viewpoint
   c:\temp\chase
   c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
   c:\temp\3dmarkpaid

2. Save this as "CFScript.txt" on the desktop.
3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
   
   
4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
   Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

Paste the new Combofix log in your next reply.

 

[stevebeans]

Thanks for all your help through this, I can't believe how bad my computer got.

Anywhere, I did the steps above, here are my results

 

[momok]

Hi,

I think I possibly missed out something in my previous instructions. Sorry about that.

Please create a new CFScript.txt file in notepad (replace the old one) with these text in it:

File::
c:\temp\msgr9us.exe

Folder::
c:\temp

Repeat the same thing and post the resultant Combofix log as well as a fresh Hijackthis log after that.

Also let me know what's in this folder c:\documents and settings\All Users\Application Data\nView_Profiles
Thanks.

 

[stevebeans]

Hey there, yea there was a lot of junk in my temp folder because that's where I kept a lot of my software downloads prior to install. I moved out the important ones that I'm sure of and let the program delete the rest

As far as that folder, it appears empty. I made sure 'show hidden files' is selected as well.

moderator edit: please be sure to use the edit button instead of double posting.
oops forgot HJT log

 

[momok]

Wow, your combofix log shows a long list of items and deletions from that folder; I believe your infection probably originated from one of the programs you downloaded and placed there.

On the bright side of things, your infection looks gone and your logs are looking clean now

Now that you're gd to go,

1. Please download and run CCleaner via step 3 of the instructions HERE.
   
   
2. Clear your existing System Restore points and establish a new clean restore point:
   Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
   
   Next, go to Start > Run > cleanmgr
   Select the More options tab > Choose the option to clean up System Restore and OK.
   This will remove all restore points except the new one you just created.
   
   
3. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
   May I recommend you to read this article.
   This can help to prevent future infections.

 

[stevebeans]

Awesome, thanks for all the help! Btw, do you recommend any specific software to run? anti-virus, spyware, whatever. I've always been iffy on them because they slow systems down, like norton, but if you can recommend a solid one that actually works and doesn't just hog my resources, i'm all for it.

Thanks again

 

[momok]

I've been using AVG all along for my antivirus, but recently considering switching to Avira. The reviews out there and people on the forum just recommend it over the rest. Its a good free option. =)

CCleaner is a real gem imo. run it regularly.

 

[stevebeans]

Excellent, thanks! Also, i'm not sure if you're familiar with this, but check out the differences in fonts between my post, and the text box where I am posting. See how the text box is smaller and tigher? This happened after I ran ccleaner the first time through. Is that a setting in firefox, or a system thing? thanks!

 

[momok]

I'm not very sure, but I believe it is related to your Firefox settings. That should be easily taken care of; but I don't use firefox so I'm not sure how to direct you on this.

 

[stevebeans]

Yea, you're probably right. I'll search around their forums for those answers. Thanks again for all your help, its' a huge relief to know I don't have to re-install windows.