Help needed with virus: wtf is this shit bot.exe?!

[Seppo]

so i think i have some kind of a virus or something on my computer called bot.exe. i googled it and certainyl didn't look good at all ;(

basically when i boot my computer, this bot.exe DOS-window pops up, usually when windows is starting.

how do i remove it? i scanned my computer with Ad-aware but it didn't help. antivirus scan (AVG) didn't find it either.

and what is this program anyway?

 

[Laivasse]

I gave up on both those programs (AVG and Ad-Aware) after encountering a similar situation. For the future I suggest you get a real solid AV like NOD32 or Kaspersky.

For now, you may be able to get rid of this thing via a combination of simply searching via Windows and using a program called hijackthis.

I'm tired and I'm an amateur, and it's been a long time since I've described this process, so it may be a bit shoddy, but the following steps will have a good chance of clearing your shitware.

First do a Windows search for any files which were created or modified around the time this bot.exe got on your comp - also search for bot.exe itself. Look particularly for any results that are weird exe's and dll's in windows/system32 or thereabouts. If you're not sure whether something in System32 is 'weird' or not, check it's Properties and the 'version' tab - almost any legit file in there will state the company that placed it there, eg MS or ATI, while dodgy stuff will mostly have nothing like that. Shitware files will also often appear at the top of the file listing when you sort by most recently modified. If you find something obviously suspect, sometimes you can simply delete it - although don't do this unless you are 100% that what you are deleting is non-essential. Often, however, if those files are linked to a trojan, virus or whatever, they will be recreated by other hidden processes every time you delete them. They may also be invisible, or indeed not located in System 32 at all. Bear in mind that this is a provisional step, and will only be of any use if your particular infection is very easily defeatable.

Go to Start>Run>msconfig>'startup' tab and check if there is a registry entry which is running bot.exe on startup. There most likely is one. There may also be others that point to obscure dlls and exes which you know to be suspect. Make a note of their locations on your comp, if that info is revealed here. Uncheck those dodgy startup items too - they will quite possibly recheck themselves on reboot, but in the next step you'll be deleting the registry entries which even give them the option of starting up.

So now, go and get hijackthis and run it. Do a system scan and save a log file. Check the results for any registry entries which either a) look like they correspond to any of those suspicious entries in msconfig, or b) just generally point to highly suspicious exes, dlls, etc. Delete them, but don't guess. Be sure that what you're deleting is related to the thing you want to get rid of. If you need to, you can post the hijackthis log file here; I can't promise to be able to make sense of it, but maybe someone else can.

Anyway, having deleted those registry entries, reboot immediately into Safe Mode. If all has gone superbly well, the startup registry items will not have rechecked or recreated themselves, bot.exe and it's possible allies will not be running, and most of the associated files will be lying inert on your PC ready to be deleted. You can run AVG while in Safe Mode and hope it will do this for you (optimistic, tbh), but it's good to do as much as you can manually by looking at the file locations you noted down from msconfig earlier, and using those notes to hunt down and delete any inert shitware which may still be lying around.

Good luck, feel free to ask for clarification if this rough guide falls over at any step once you try it in practice.

 

[Seppo]

here is the logfile.

Logfile of HijackThis v1.99.1
Scan saved at 17:57:30, on 02.06.2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\service.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ULiRaid] C:\Program Files\ULiRaid\ULiRaid.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Windows svchost] service.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [__GSCAdditionalInstallation__] "D:\Pelit\Alexander\Alexander_demo\SetupDemo.exe" -AdditionalInstall
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.tvlution.com/KooPlayer.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159085346718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167857143003
O16 - DPF: {82FFA573-38AA-482A-99AD-91F697B91631} (Installer.InstallControl) - http://static.35mb.com/applet/applet_o.cab
O16 - DPF: {B85537E9-2D9C-400A-BC92-B04F4D9FF17D} (Silverwire Image Uploader Control) - http://htmlupload.silverwire.de/upload/JavaActiveX/ImageUploader4.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://fi.photobox.com/clients/uploader_v2.2.0.6.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

there's a bot.exe file located at c:\bot.exe so it's not even in any folder. also i checked the msconfig and there were two suspicious dll files called yiumydjo and kncaseik that were running on startup. i unchecked them and now i don't get the error messages of missing dll files when windows starts up, and the bot.exe dos window hasn't popped up again. the bot.exe files still remain though. and these ****ing spyware and anti virus software don't even find anything ffs. this bullshit, i think i'll just format my hard drive. it always works.

piss shit ****. shit.

 

[CyberPitz]

Take your hdd out of your computer, plug it in as a secondary on another machine. Scan that harddrive with Spytbot, Windows Defender, AVG. That order works. That will get rid of everything. I will speak with my father who has been a computer tech for god knows how many years, and I'll tell him this .exe and he'll yell off what needs to be done.

Reply:
Paul - Work says:
What are your recommended steps?
Paul - Work says:
I said Spybot, Windows Defender, AVG.
Guy who knows too much about computers.... says:
uncheck the startup items, delete the exe, then run those (updating first) while in safe mode.

So apparently this isn't that bad, as you can be on the same machine with the HDD active to clean it out.

 

[Laivasse]

here is the logfile.

there's a bot.exe file located at c:\bot.exe so it's not even in any folder. also i checked the msconfig and there were two suspicious dll files called yiumydjo and kncaseik that were running on startup. i unchecked them and now i don't get the error messages of missing dll files when windows starts up, and the bot.exe dos window hasn't popped up again. the bot.exe files still remain though. and these ****ing spyware and anti virus software don't even find anything ffs. this bullshit, i think i'll just format my hard drive. it always works.

piss shit ****. shit.

Don't be too hasty. It's looking like you're pretty much clean tbh. I can't see anything obviously suspicious in that log, although if anyone else does, feel free to chip in.

Hijackthis seems to suggest that bot.exe is no longer running. Does the file itself reappear if you delete it manually? Can you locate yiumydjo and kncaseik and delete them?

I can't see those yiumydjo and kncaseik in the hijackthis log either, so it looks like they're no longer an active problem. They may still be on your comp (doing nothing) however, so if you remember where they were supposed to be then all that's left is to locate and delete them.

If the bot.exe window is no longer popping up, I'd say the problem is mostly dealt with - it's just a matter of tidying things up (ie. making sure you can delete the files ok).

To be sure you're clean, however, try running Kaspersky's online scan. It won't fix any problems but it is very thorough and will at least tell you if you still have any. My suspicion is that you're more or less clean already, at least in terms of having no malicious programs running. They may be still around on the comp, but it if so then they no longer seem to be doing anything. If they are still on the comp, Kaspersky will almost certainly find them so that you can delete them yourself.

 

[CyberPitz]

Update to AVG 8.0, btw. It's got a nice Spyware scanner in there that you can also run in addition to my list.


Also...
Same guy says:
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe = Virus
Same guy says:
he's got zedo and smitfraud

 

[Laivasse]

Eh? Maybe your dad knows something about the file path that I don't, but I've used SuperAntiSpyware in the past and it was legit, at least in my case. www.file.net suggests that it's only a suspicious file if it's located in C:\

Here's the official SuperAntiSpyware site. I will grant that it looks as suspicious and cheesy and fake as hell, but I used it in the past once when SAS was the only antispy prog I could find whose database contained a certain trojan that I needed rid of. It was actually pretty effective and I had no problems removing SAS afterwards.

edit: just to emphasize its legitimacy, here is a forum thread which actually sings SAS' praises. Personally I'd recommend it above some other more well known programs. Like I say, one time it was the only prog I could find on the net whose database listed a threat that was affecting me.

I think there is a common confusion between it and 'WinAntiVirus' which is a fake, rogue antispy prog, associated with smitfraud.

 

[VirusType2]

i scanned my computer with Ad-aware but it didn't help. antivirus scan (AVG) didn't find it either.

I'm a little late, but wanted to say that if it's a bot, then you need a bot killer like Spybot S & D.

AVG 8.0 has a bot scanner, but it's brand new and relatively untested.

 

[CyberPitz]

Either it could be packaged with a virus. or there are a lot of instances where that 'program' gets installed with that name to make the user believe that's the real one. Either or, he mentioned he's found quite a few systems brought in with that program installed that when doing scans, that program is being pointed at an awful lot.

Or he could have the legit version, who knows, he hasn't quite said anything about it

 

[Laivasse]

Regardless, in this instance there is nothing to suggest that the SUPERantispyware.exe Seppo has is a virus, as far as I can see. I can find zero reports online of SAS being a vector for shitware, either. On the contrary, to quote this thread:

Superantispyware removed Smitfraud for me, worked extremely well.

To clarify, I'm well aware of the suspicion that SAS receives. I worked in a place where we had a tech/networking guy who was a bit of a genius, but when I explained to him that I was using SAS to deal with a problem I had on my home PC, he refused to accept it was a legit prog on the basis of its corny name, shoddy tray icon, and complete obscurity in terms of reputation. This seems to be a common thread across the net, so I'm not surprised that your dad is experiencing a lot of people pointing fingers at it - nevertheless it is perfectly legit. The bad reputation it has actually belies some serious effectiveness in combatting spyware, and is not backed up by any solid evidence (in my experience) of it being a mask for a malicious prog.

 

[VirusType2]

or,

Superantispyware installed Smitfraud for me, worked extremely well.

lol. just kidding. I haven't investigated them at all.

I'm real paranoid though.

But I do think about things like - is everyone who comments there part of the evil team to trick us?! and they don't let any outsiders join the forum?!

OMG

because really, if you've ever run a bot scan, and watched the things it scans for, the name of that software SCREAMS fake. SUPERantispyware. lol. Although I guess if you had never heard of it, Spybot - Search & Destroy sounds fake too.

 

[Laivasse]

Well that's exactly what I mean. Most of the paranoia with the prog is directed towards the name. Read the first thread I posted - the consensus was that it was a good program, but the name and logo really stink, setting off alarms in the minds of most people as a result. The main developer then pops up and actually acts quite offended that they've slagged off his product, lol. Maybe he has some sentimental attachment to the term 'SUPER', or something, who knows. But in any case there are enough threads talking about the legitimacy of the prog for us to be able to assume that all the posters are not employed actors, unless it's the biggest conspiracy the net has ever seen, contrived for the most trivial purpose.

 

[CyberPitz]

^ I know I thought Spybot sounded scary at first D:

*EDIT* I doubt my father would say something is fishy with the program because of it's name....

 

[Laivasse]

Well maybe he's just echoing the fact that other people have voiced concerns about it. But maybe you should suggest to him that he eases people's minds over it or even recommends it because it seems to actually be a really decent prog, made by a small company, that picks up loads of stuff that other progs don't, so it's not really fair that most people immediately react to it as if it's malicious.

 

[CyberPitz]

Again, like I said, he wouldn't voice other peoples concerns. He makes his own off of personal experiences.

 

[Laivasse]

While I can understand you have faith in your dad's expertise, in the absence of any evidence to the contrary I'd say that his experience has led him to the wrong conclusion in this case.

To quadruple check, I just located the old setup file I have on my PC and reinstalled the prog in order to check the file path. It does indeed install an exe at C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe and it is not malicious at all. This is in addition to the fact that I can't find any examples online of there being a malicious SUPERantispyware.exe - the closest suggestion is from filenet.com, saying that if such a file is located in C:\, then it is '52% dangerous'.

 

[CyberPitz]

While I can understand you have faith in your dad's expertise, in the absence of any evidence to the contrary I'd say that his experience has led him to the wrong conclusion in this case.

To quadruple check, I just located the old setup file I have on my PC and reinstalled the prog in order to check the file path. It does indeed install an exe at C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe and it is not malicious at all. This is in addition to the fact that I can't find any examples online of there being a malicious SUPERantispyware.exe - the closest suggestion is from filenet.com, saying that if such a file is located in C:\, then it is '52% dangerous'.

Well, if he isn't using it, no need to be keeping it, for starters. Who knows, something could have dropped it in there recently. Smitfraud is a bitch like that, as is Zedo.

If he uses it all the time, use it, continue to use it then. The steps I outlined in my post should get rid of any Zedo or Smitfraud entries.

 

[Laivasse]

If your dad is basing the assumption that Seppo is infected with Smitfraud off of the fact that he simply has C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe on his comp - as he seems to be - then he is just plain wrong. Any other measures taken on the basis of that assumption are pointless. I don't know how the presence of SAS would suggest Zedo either, since it is just a tracking cookie or a sly adware service that has nothing to do with SAS, but maybe your dad spotted something else in the log that he neglected to mention. In any case, Zedo wouldn't be causing the problems that Seppo has described.

@Seppo - no need to assume you have Smitfraud, nor any need to uninstall SuperAntiSpyware either. IMO hijackthis is saying you're now pretty clean after having done what I suggested, but you should double check with some form of scan, eg. Kaspersky online scanner, or SpybotSD and AVG in safe mode.

 

[Seppo]

don't worry SAS is legit, at least the version I'm using. and yeah i know the name is just so cheesy and screams out spyware. but it's good. trust me, it's not the problem here, because i have just found out where this virus/spyware probably came from.

so, my brother had been using this computer yesterday. he uses MSN messenger quite a lot, and he had clicked a download link of what was supposed to be a picture of someone, but instead it was (most likely) this virus. isn't there a virus circulating on MSN at the moment? like it's pretty much common knowledge that you DON'T accept files from people who you don't know personally. i have to say, i expected more from him, i never would have guessed that my own brother would be stupid enough to click on a random link from some stranger on an online chat... god, this sucks so much.

 

[Laivasse]

Have you managed to delete bot.exe without it reappearing?

 

[Seppo]

nope, i haven't

and now i can't even try to delete it, because it says that the file is in use so it can't be removed. this would mean that the program is running, right? which can't be good. i'm using another computer now for browsing the web, because the "contaminated" machine isn't even connected to the internet since i pulled the plug. going to keep it off the internet untill i get this mess fixed.

 

[Seppo]

well now i scanned my computer with SpyBot and found two mroe shitware which i deleted. after that i was able to delete the bot.exe file, allthough i had also terminated some programs that were running so one of those programs might have been the reason i couldn't delete the bot.exe before. good thing is the bot.exe didn't reapper this time, BUT now i got a new DOS window pop up, this time it was sb.exe.

wtf this is just ridiculous...

 

[Laivasse]

There is something you have missed which is probably recreating and renaming it.

If you get the 'file in use' shit again, use Unlocker, a handy util for deleting files that are in use. It adds itself as a shell extension, so once it's installed you just need to right click>unlock and you can bypass that annoying 'file cannot be deleted' stuff.

Once it's deleted, see if it comes back. If it does, try going through all the stuff with the reg entries, startup items and scanning in safe mode again.

Get hold of Process Explorer too, a better program than Task Manager for monitoring and dealing with your running tasks.

 

[Asus]

Why not grab nod32 (trial)? See if it can put it in 'quarantine'.

 

[CyberPitz]

If you're doing these things in Safe Mode, how is it in use? D:

 

[Laivasse]

I think I've found the culprit:
http://www.siteadvisor.com/sites/imaageshack.org/postid/?p=926901
These bits stand out:

redir://imaageshack.org
-> infected://mitglied.lycos.de/sirux/images/42165.JPEG/
attachment; filename=42165.JPEG-www.imageshack.com

Found Sandbox: W32/Malware; [ General information ]
* **Locates window "NULL [class _Oscar_StatusNotify]" on desktop.
* **Locates window "NULL [class MSNHiddenWindowClass]" on desktop.
* **Locates window "NULL [class __oxFrame.class__]" on desktop.
* File length: 29696 bytes.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\service.exe.
[ Changes to registry ]
* Creates value "Windows svchost"="service.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

The whole idea that it's a fake redirect to a jpeg at 'imaageshack' fits with your brother's story. Plus the fact that one guy just calls it 'MSN Virus!'

Bottom line is I was wrong about the hijackthis log, there's something dodgy in there. It's looking like the line:

O4 - HKLM\..\Run: [Windows svchost] service.exe

...is very suspicious.

Before you delete it though, find this 'service.exe' on your PC and make sure it's not a Microsoft file. Filepath (according to that link) should be C:\WINDOWS\service.exe. Check the properties. If it's not Microsoft, has a recent 'modified' date, whatever, go to town... In fact you should probably delete it anyway since there should be no file like that in C:\WINDOWS\. Once you delete that hijackthis entry (by checking its box and going to 'fix checked') and delete service.exe, things should get much easier.

 

[Seppo]

so it looks like i have some kind of a trojan horse called Sheur something. anytime windows is starting, my antivirus software detects a file called IS154890.EXE at C:/windows. it can be removed, but this same thing happens again every time windows starts, so the file just keeps coming back. BUT this only happens when my firewall asks if windows explorer can access the internet and i click yes. after that the IS154890.EXE immediately appears in the C:/windows directory. if i just block the internet access, nothing happens. good thing my antivirus software is up to date :O

well, this is a mess... it's like a neverending circle. i remove one shitware, two more pop up.

 

[Laivasse]

Try an NOD32 trial, otherwise if you're unwilling to do that and your AV is not coping fully then the best way is still a manual clean.

Uncheck the msconfig startup items, get a hijackthis log (and put it here in spoilertags if you want), fix the reg items, Unlock and delete what you can, reboot to safe mode, scan, repeat. If nothing else, you're likely to end up 'breaking' the malicious programs, so that they end up calling a missing exe or relying on a missing dll, etc.

I'm also convinced that the above link I posted was your exact original problem, since the registry entry created and the aspects of your brother's story all fit. Therefore the first port of call is to delete that 'O4 - HKLM\..\Run: [Windows svchost] service.exe' and then the bogus 'service.exe' in C:\Windows.

 

[Saturos]

Usually I can spot mal-ware just by opening the task manager and looking up processes I don't recognize. I know my services and processes that run normally on my machine on the back of my hand. Also, everytime you install new services or software, (such as an AV program) it's a good idea to check out the task manager to familiarize yourself with any new processes that have been added to the list. This can save you alot of heartache in the long run.


Here's a list of Services and the processes they relate to.

Note that this approach doesn't always work though as many mal-ware signatures tend to hide themselves within the kernel/cab files themselves and doesn't manifest themselves as a process under task manager. It certainly helps though.

If you do find anything suspicious, use the "end process tree" command in the task manager, follow the source, then delete the file.

 

[CyberPitz]

From the looks of how much of a hassle you are having, if you have an extra computer lying around, I'd unplug your HDD, plug it into the other PC as a secondary and do your scans that way. The Trojans/Virus/anything doesn't load on startup, so you have the ability to bypass any sort of 'cloaking' the bastard is doing, and most cases, cleans them up just fine. That's how I've been cleaning everything up in house, as I've got one roomie who looks at the wrong pr0n sites, the other just sits and does random shit on the internet, and I'm the secure one... \=

 

[Kula Meenur]

Scan with Spybot + Avg. Or take it to a professional and pay him to recovery and clean your files.

 

[CyberPitz]

Scan with Spybot + Avg. Or take it to a professional and pay him to recovery and clean your files.

Amazingly, Windows Defender will help a bit as well. I figured anything from M$ would suck, though not awesome, it's better than nothing. Otherwise, those are the two main proggies I use for cleaning.

 

[Laivasse]

Amazingly, Windows Defender will help a bit as well. I figured anything from M$ would suck, though not awesome, it's better than nothing. Otherwise, those are the two main proggies I use for cleaning.

Windows Defender has evolved from Microsoft Antispyware which in turn grew from GIANT Antispyware, after MS bought out GIANT. The original software by GIANT was an awesome bit of antispy kit, which is why all the iterations of it have actually been pretty good, MS or not.

 

[Seppo]

thanks for help everyone, at the moment it looks like i managed to get rid of this crap. no more pop ups or suspicious files. but i'll still need to scan my computer once with AVG before i can be sure. but anyway thanks for the help it was really good stuff.

 

[Kula Meenur]

Amazingly, Windows Defender will help a bit as well. I figured anything from M$ would suck, though not awesome, it's better than nothing. Otherwise, those are the two main proggies I use for cleaning.

Hmm...where can you get that from?

 

[VirusType2]

you can get defender from www.microsoft.com

you might have to have 'genuine windows'

you have to use the search bar, 'defender'

 

[Nemesis6]

You might wanna go to a website dedicated to hijackthis logs and other diagnostics like spywarewarrior.com or castlecops.com

You might not see any popups or anything now, but the problem is that these things rarely come alone. You might get a new infection if you have some downloader trojan or rootkit lying around too. Best to be safe!

 

[Seppo]

by the way, just a question: what would be a recommended free antivirus software? what is everyone here using? i used to have AVG but now i moved to Avira AntiVir. i think this one's better than AVG, allthough i doubt there are any big differences in the end.

 

[CyberPitz]

AVG. Will never touch anything else in the foreseeable future.