Report USBFIX 1

[hackoo]

Hi ! i need some help and advice, the computer of my friend is infected by a malware that it's very hard to remove it manullay so i post here The Report created by USBFix. please tell me what can i do with this kind of malware.
Thank you for your help !

############################## | UsbFix V6.097 |

Update on 20/02/2010 by El Desaparecido , C_XX & Chimay8
Start at: 10:13:17 | 24/02/2010
AMD Athlon(tm) Dual Core Processor 5400B
Microsoft Windows XP Professionnel (5.1.2600 32-bit) # Service Pack 2
Internet Explorer 6.0.2900.2180
Windows Firewall Status : Enabled
AV : Kaspersky Internet Security 8.0.0.506 [ Enabled | Updated ]
FW : Kaspersky Internet Security[ Enabled ]8.0.0.506

A:\ -> Lecteur de disquettes 3 ½ pouces
C:\ -> Disque fixe local # 78,12 Go (68,04 Go free) # NTFS
D:\ -> Disque CD-ROM
E:\ -> Disque fixe local # 70,92 Go (68,07 Go free) # NTFS

############################## | Processus actifs |

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\kernel32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\a-squared HiJackFree\a2hijackfree.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

################## | Elements infectieux |

C:\WINDOWS\System32\baseWINDOWS.db  
C:\Program Files\USBScan\chis.jpg  
C:\Program Files\USBScan\Help.chm  
C:\Program Files\USBScan\Hide.rep  
C:\Program Files\USBScan\kernel.dll  
C:\Program Files\USBScan\Process.dat  
C:\Program Files\USBScan\Safe.rep  
C:\Program Files\USBScan\svighost.dll  
C:\Program Files\USBScan\unins000.dat  
C:\Program Files\USBScan\unins000.exe  
C:\Program Files\USBScan\Update.exe  
C:\Program Files\USBScan\USBScan.exe  
C:\Program Files\USBScan\UserSettings.ini  
C:\Program Files\USBScan  
C:\autorun.inf  
C:\Thumbss.db  
E:\autorun.inf  
E:\driver  
E:\Thumbss.db  

################## | Registre |

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "baseWINDOWS"  
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Adobe Reader 9.0"  
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe]  
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe]  
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwtsn32.exe]  
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwin.exe]  
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe]  
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe]  
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LaunchU3.exe]  
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]  
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mvyA.exe]  
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe]  
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe]  
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe]  
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe]  
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rmvtrjan.exe]  
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe]  
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe]  
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe]  
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trjscan.exe]  
[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore] "DisableSR"  

################## | Mountpoints2 |

HKCU\..\..\Explorer\MountPoints2\{168cf942-0f42-11df-a4db-00064f819f92}
Shell\AutoRun\command =C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Wscript.exe /e:vbs Thumbss.db

HKCU\..\..\Explorer\MountPoints2\{21710d4e-fece-11de-a4b1-00064f819f92}
Shell\AutoRun\command =F:\LaunchU3.exe -a

HKCU\..\..\Explorer\MountPoints2\{21710d4f-fece-11de-a4b1-00064f819f92}
ShELl\AuTOplAy\coMMaNd =G:\vvewgr.exe
ShELl\AutoRun\command =G:\vvewgr.exe
ShELl\expLoRE\ComMAnd =G:\vvewgr.exe
ShELl\OPen\comMand =G:\vvewgr.exe

HKCU\..\..\Explorer\MountPoints2\{3def5cd0-0f33-11df-a4d9-00064f819f92}
Shell\AutoRun\command =C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Wscript.exe /e:vbs Thumbss.db

HKCU\..\..\Explorer\MountPoints2\{407458e2-208c-11df-a4ff-00064f819f92}
Shell\AutoRun\command =C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Wscript.exe /e:vbs Thumbss.db

HKCU\..\..\Explorer\MountPoints2\{483e0a8e-0ca8-11df-a4d3-00064f819f92}
Shell\AutoRun\command =C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Wscript.exe /e:vbs Thumbss.db

HKCU\..\..\Explorer\MountPoints2\{5bb092cb-faab-11de-a4a8-bc2f544c5d35}
Shell\AutoRun\command =C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Wscript.exe /e:vbs Thumbss.db

HKCU\..\..\Explorer\MountPoints2\{5c1d3fe6-174a-11df-a4ee-00064f819f92}
Shell\AutoRun\command =C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Wscript.exe /e:vbs Thumbss.db

HKCU\..\..\Explorer\MountPoints2\{8c88bda4-faae-11de-9df1-806d6172696f}
Shell\AutoRun\command =C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Wscript.exe /e:vbs Thumbss.db

HKCU\..\..\Explorer\MountPoints2\{cf57a7c2-0f33-11df-a4da-00064f819f92}
Shell\AutoRun\command =C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Wscript.exe /e:vbs Thumbss.db

HKCU\..\..\Explorer\MountPoints2\{d4cfa558-0270-11df-a4be-00064f819f92}
sHELl\auToplay\comMand =uotw.exe
sHELl\AutoRun\command =uotw.exe
sHELl\expLore\COmmanD =uotw.exe
sHELl\oPeN\commaNd =uotw.exe

HKCU\..\..\Explorer\MountPoints2\{e4af5a00-1dfe-11df-a4f9-00064f819f92}
Shell\AutoRun\command =C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Wscript.exe /e:vbs Thumbss.db

HKCU\..\..\Explorer\MountPoints2\{e6e87dae-1626-11df-a4ea-00064f819f92}
Shell\AutoRun\command =C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Wscript.exe /e:vbs Thumbss.db

HKCU\..\..\Explorer\MountPoints2\{fe79086a-14bc-11df-a4e7-00064f819f92}
Shell\AutoRun\command =C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Wscript.exe /e:vbs Thumbss.db
################## | Vaccin |
################## | ! Fin du rapport # UsbFix V6.097 ! |

 

[pechenegs]

This file is the culprit!


C:\WINDOWS\kernel32.exe



Download hijack this from the link below.Please do this. Click here:

http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html?hhTest=1

to download HijackThis. Click scan and save a logfile, then post it here so
we can take a look at it for you. Don't click fix on anything in hijack this
as most of the files are legitimate.




* Click here to download ATF Cleaner by Atribune and save it to your
desktop.

http://majorgeeks.com/ATF_Cleaner_d4949.html

* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords,
please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords,
please click No at the prompt.
* Click Exit on the Main menu to close the program.






Download Superantispyware (SAS):

http://www.superantispyware.com/supe....html?rid=3132

Once downloaded and installed update the defintions
and then run a full system scan quarantine what it finds!


* Double-click SUPERAntiSypware.exe and use the default settings for
installation.
* An icon will be created on your desktop. Double-click that icon to launch
the program.
* If asked to update the program definitions, click "Yes". If not, update
the definitions before scanning by selecting "Check for Updates". (If you
encounter any problems while downloading the updates, manually download and
unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all
others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your
computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your
computer.
* After the scan is complete, a Scan Summary box will appear with
potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete".
Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware
again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.




Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link 1 alternate download link 2

http://malwarebytes.gt500.org/mbam-setup.exe

http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

* Make sure you are connected to the Internet.
* Double-click on Download_mbam-setup.exe to install the application.
* When the installation begins, follow the prompts and do not make any changes to default settings.
* When installation has finished, make sure you leave both of these checked:
o Update Malwarebytes' Anti-Malware
o Launch Malwarebytes' Anti-Malware
* Then click Finish.
* MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
* On the Scanner tab:
o Make sure the "Perform Quick Scan" option is selected.
o Then click on the Scan button.
* If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
* The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
* When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
* Click OK to close the message box and continue with the removal process.
* Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
* Make sure that everything is checked, and click Remove Selected.
* When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
* Copy and paste the contents of that report in your next reply with a new hijackthis log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.






* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit.exe file and Allow to run the express scan
* This will scan the files currently running in memory and when something is
found,
click the yes button when it asks you if you want to cure it. This is only a
short scan.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
* Back at the main window, mark the drives that you want to scan.
* Select all drives. A red dot shows which drives have been chosen.
* Click the green arrow at the right, and the scan will start.
* Click 'Yes to all' if it asks if you want to cure/move the file.
* When the scan has finished, look if you can click next icon next to the
files found: IPB Image
* If so, click it and then click the next icon right below and select Move
incurable as you'll see in next image:
IPB Image
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it
can't be cured. (this in case if we need samples)
* After selecting, in the Dr.Web CureIt menu on top, click file and choose
save report list
* Save the report to your desktop. The report will be called DrWeb.csv
* Close Dr.Web Cureit.
* Reboot your computer!! Because it could be possible that files in use will
be moved/deleted during reboot.




Post a new hijack this log after running the tools, the super log,the malwarebytes log and the dr web scan log



Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[Noway2]

pechenegs, you get a star for making such a detailed post with a lot of explcit information.

 

[pechenegs]

You also have a few other infections! If your flash drives are infected follow the instructions at the link below to clean them!

http://www.bleepingcomputer.com/forums/index.php?showtopic=163526&st=0&p=913677&#entry913677

These files are bad or suspicious!

C:\Program Files\USBScan\svighost.dll
G:\vvewgr.exe

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars