Vbs : Malware - gen

Status
Not open for further replies.

Alexexex

Posts: 105   +0
My friend borrowed my USB to transfer files from her email to another computer for a presentation.

The computer used to retrieve the files from her email was a school computer, probably loaded with viruses...

But... as a friend, I couldn't say no.

So she gave me back the USB after the presentation and I forgot to format it before inserting it back into my computer.

Guess what? Avast scared the crap out of me when I heard "Warning you have a virus."

So now, I'm stuck with a laggy computer, whose CPU is almost as stressed as I am.

By the way, I've attached a ComboFix log as well as a Hijackthis Log.

I'd love it if you have any tips or solutions leading to the cleaning of this computer! :)
 

Attachments

  • ComboFix.txt
    22 KB · Views: 1
  • Hijackthis Log.txt
    7.1 KB · Views: 1
Please note the following:

Virus and Malware Preliminary Removal Steps:

Do Not Run Combofix without our guidance

Please disable TeaTimer before running the scans:
  • Right click the TeaTimer icon in the system Tray
    MHoTT005.gif
  • Then click Exit Spybot-S&D Resident
  • (One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe
 
Reoccuring Problem

I think the problem has reoccured, my CPU jumps to 100% even when opening the lightest programs, very laggy operation...

Thank you very much.
 

Attachments

  • SUPERAntiSpyware Scan Log - 01-16-2010 - 09-12-59.log
    1.1 KB · Views: 1
  • hijackthis.log
    7.7 KB · Views: 1
  • protection-log-2010-01-16.txt
    12.5 KB · Views: 2
  • mbam-log-2010-01-16 (11-27-27).txt
    888 bytes · Views: 1
Alex, can you better describe what the problem is?

What is showing you Vbs : Malware - gen? Did your colorful language mean you got an alert from AVG? Did you quarantine the malware?

Was there any particular reason you included the protection log showing blocked websites?

What does "leggy" mean? Do you mean slow, because there are many reasons that can contribute to a slow computer.

As for lending a USB drive to a friend- you always have a choice!

EDIT: If I a you to run any more scans, please disable TeaTimer as requested.
 
Malware Gen Continued?

In an act of deperation, I decided that formatting my harddrive was the best option. So I transferred the files using the USB to my laptop and not so funny thing was that now this computer's CPU usage is very unstable, it would jump from 12 to like 90 in a matter of seconds. I'm not 100% sure that this computer is infected, but it's been acting strange recently.

Is it actually possible to continue infecting computer just by transfering some files?
If so, then I guess my only option is to try my best to disinfect this worm.

Teatimer is not installed on this computer and I've attached the requested logs below.

Thank you very much for your support! :)
 

Attachments

  • hijackthis.log
    8.2 KB · Views: 1
  • Malware Bytes Log.txt
    1.2 KB · Views: 1
  • SUPERAntiSpyware Scan Log - 01-17-2010 - 14-10-09.log
    8.2 KB · Views: 1
Is it actually possible to continue infecting computer just by transfering some files?
If you transfer infected files, yes.

Please print these instructions:
You have malware in the temp files:

Download TFC(Temp File Cleaner) to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. Empty the Recycle Bin
----------------------------------------------------------
Reset Cookies
For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.
--------------------------------------
Update Vista from Platform: Windows Vista SP1 to SP2:
Stay current on updates:
  • Visit the Microsoft Download Site
  • You should get All updates marked Critical and the current SP updates: Vista> SP2
-------------------------------------
Download the Norton Removal Tool and save it to your desktop. Don't run it yet.
-------------------------------------------
Reopen HijackThis to 'do system scan only.' Check each of the following if present:

O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)>>Windows Live Messenger
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)>> Norton
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

Close all Windows except HijackThis and click on "Fix Checked."
--------------------------------------------------
Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Double click on the Norton Removal Tool on the desktop and run. Follow onscreen prompts. You do NOT need the registration number to uninstall.
-------------------------------------------------
Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    Important! Save the renamed download to your desktop.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  • Double click on the setup file on the desktop to run
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  • Query- Recovery Console image
    RcAuto1.gif

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
--------------------------------------------------------
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
---------------------------------------------
Summary:
Run TFC
Reset Cookies
Update Vista
Download Norton Removal
Scan with HJT
Run Norton Tool in Safe Mode
Run Combofix >> attach report
Do Eset online scan>> attach log
Rescan with HJT> leave new log
 
I have completed all the steps leading up to the Vista Service Pack 2 update.
In the midst of installing the Service Pack 2, I would recieve an Error Code: 80070005
I have yet to find a loophole towards this problem.
Others have been able to avoid the error by running scripts, with adverse sideffects.
If you have any suggestions to avoiding the error, please advise.
 
The consensus for resolving this error code is to turn off the AV program.

That is not something I recommend without reserve. Many fixes were tries. Most failed. It's a permission issue. See if this works for you. If not, hold off on that for now.

Complete whatever you haven't done from this list:
Summary:
Run TFC
Reset Cookies
(Update Vista) hold for now.
Download Norton Removal
Scan with HJT
Run Norton Tool in Safe Mode
Run Combofix >> attach report
Do Eset online scan>> attach log
Rescan with HJT> leave new log
 
Logs and Reports

Here are the requested logs and files.

Thank you very much!!!

Hope to hear from you in the near future.
 

Attachments

  • hijackthis.log
    6.6 KB · Views: 1
  • log.txt
    126 bytes · Views: 3
  • ComboFix.txt
    18.7 KB · Views: 8
I'd like you to be sure the Java cache gets emptied:

Control Panel> Java> Temporary Internet Files> Settings> delete these files.
Then go back to the Update tab and UNCHECK 'automatically check for updates'. Answer yes when asked.

Empty the Recycle Bin

Did you actually run the Eset scan? It looks like it was updated but there is no scan info.

Going back and reading all the posts, I have to ask- are we still working on the same computer as the original one?

Did you run TFC?

What malware related problems are you still having?
 
I ran the Eset scan twice, it came up with nothing...

No, I formatted the orginal computer, but was speculating the idea of the virus having "jumped" to my laptop since I had transferred some files to save them.

Yes, I ran the TFC several times and restarted afterwards.

Problems..... not really, but I'm just wondering if internet explorer is suppose to jack your CPU usage right towards 100..... cause its been doing that.

Other than that, I'd say the computer's preformance has significantly improved....

So if you think my computer is clean, I'd like to thank you for all your help and hopefully repay the favour to you and the techspot community!

~ Alex
 
Alex, I found the malware. It's in the Combofix report. I don't know if I can use OTMoveIt or whether CFScript needs to be written for it's removal. Please don't go yet- I am requesting help from kritius.

I should have realized it when I kept seeing the temp files!
 
Alex, let's try moving the files and folders:

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes	
    
    :Services
    
    :Reg
    
    :Files 
    c:\users\Dennis\AppData\Local\temp
    C:\32788R22FWJFW
    C:\32788R22FWJFW.2.tmp
    C:\32788R22FWJFW.1.tmp
    C:\32788R22FWJFW.0.tmp
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Let me know if there are any remaining malware problems. IF these get moved, I'll have you remove the cleaning tools.
 
Oldtimer Results

Well here are the results from the moving team.

No, I do not believe that this computer is infected, at least on my part.

Everything seems so be running smoothly, my laptop is a lot happier!

So... I'll see what you say and in the meantime, I'll be waiting for your response.

Thanks, Alex.
 

Attachments

  • 02012010_004330.log
    8.4 KB · Views: 5
I thought that one might be a problem because it's a folder, not a file.

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Show Hidden Folders/Files
  • Open My Computer.
    [*] Go to Tools > Folder Options.
    [*] Select the View tab.
    [*] Scroll down to Hidden files and folders.
    [*] Select Show hidden files and folders.
    [*] Uncheck (untick) Hide extensions of known file types.
    [*] Uncheck (untick) Hide protected operating system files (Recommended).
    [*] Click Yes when prompted.
    [*] Click OK.


Go to My Computer> Local Drive (C)> look for 32788R22FWJFW and any related tmp files> do a right click> Delete on each.

Close Windows Explorer> Reboot into Normal Mode
Go back and hide the files and folders.
Empty Recycle Bin

Remove all of the tools we used and the files and folders they created


Uninstall ComboFix.exe And all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • DownloadOTCleanIt by OldTimer
  • Save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
  • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
  • Click "OK" to select the partition or drive you desire.
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

More details and screenshots for Disk Cleanup in Windows Vista can be found here.

Alex, do you think we did it?! You worked hard. Good for you.

If you have any other questions, let me know.
 
It's Alex

I apologize for my very delayed response, I kinda got caught up in school and exams... :(

I really do think you did a very nice job, and I don't know what I would be in if it weren't for you.

I have attached a hijackthis log for you to look at as a final confirmation, but I doubt there's anything.

Although this is a little irrelevant, I was just wondering how you knew so much about computers?... :)

Thank you so very much, and hope to hear from you in the near future.
 

Attachments

  • hijackthis log.txt
    5.8 KB · Views: 1
Glad to help out.You're still running Malwarebytes and Superantispyware. Those can be removed by running OTCleanIt again.

The log is clean. Some day, when things are slow, go to Add/Remove Programs and check out what's installed. Dell pre-loads a lot of junk- most isn't used, many don't even know it's there. But if I see it, that means it's running and uses resources.

Since it's been a couple of months, I'd like you to run the Eset scan once more, to be sure nothing is lurking that we don't know about: Run Eset NOD32 Online AntiVirus Scanner HERE. Directions are in Post #6.- not Combofix, just Eset.

If anything is found in the Eset scan, I need to see the log. Otherwise, go ahead and remove the cleaning tools.

Please follow these simple steps to keep your computer clean and secure:

1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

System Restore Guide


2.Stay current on updates:
  • Visit the Microsoft Download Sitefrequently.
    You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP2
  • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    OR
  • Download Foxit Reader It is free and does the same thing as Adobe without the bloat.
  • Check this site often. Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE
This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

4.Remove Temporary Internet Files regularly: Use5. Use an AntiVirus Software(only one)
6.Use a good, bi-directional firewall(one software firewall)
See Understanding and Using Firewalls including links to download a firewall.

7.Consider these programs for Extra Security
  • Spywareblaster:
  • SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
  • IE/Spyad
  • This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
  • Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know. Help and support is only given in the forums but you can send a PM to me and bring my attention
back to the thread.


My knowledge of computers is very small compared to many others. But I think the internet is awesome and cyberspace is a great place to be!
 
Status
Not open for further replies.
Back