UPS Virus removal - braviax.exe and burito.exe

[Maceter]

For what it's worth I have also just finished the ComboFix repair. And while it claimed to have found the files (buritos, etc.), once the system was rebooted those files had all reanimated.

Thank you for your input.

[laurentio]

Quote:

Originally Posted by Maceter

I have tried the FP and TR fix but they both seem to have missed buritos.exe (and a couple of others which I have been led to believe are related).
Could you please detail? What makes you believe that buritos.exe is still there and which ones are "the others" as you call them?

I may be quite wrong, but I feel that I may need a program that can run before Windows boots and erase freely anything that may be related.
Hirens CD?? It is bootable. You've just mentioned it.
Thank you for your help.

Anyway Maceter, don't worry, that's why we are here: TO HELP YOU GUYS!
Just details please.
regards,

[Maceter]

I've attached the images list from the Task Manager (I couldn't show mem & cpu due to file size). But as you can see Buritos is still running, and I thought I saw bravia in there after the FP and TR cleaning, but I don't see it visible now.

I have been working on this computer over VNC and I'm preparing to drive there (about an hour away) today to try to do a "boot from CD" cleaning.

And while the Hiren's CD _is_ bootable (I installed it yesterday and have it running on that system with Daemon tools) I suspect the F-Prot and McAfee that are on the CD are older def files. F-Prot says I can download a newer def file, but I don't know how to modify the iso after I do that. Is there a way to update those files and _then_ burn the (new) iso on to a CD, or should I not worry about that? Are you suggesting that the Hiren's CD with F-Prot would (likely) work? I was kind of expecting you'd recommend an F-Prot "cd" download from somewhere (just for ease of use).

I hope that's enough details. Thank you again.

[laurentio]

Quote:

Originally Posted by Maceter

1) I have been working on this computer over VNC and I'm preparing to drive there (about an hour away) today.

2) I suspect the F-Prot and McAfee that are on the CD are older def files.

1) ... You have to be there to restart the PC after TR scan as TR takes Windows OS into a "frozen state" from where you have to physically restart the computer. Please read the scanning instructions carefully.

2) The above posted F-Prot link lets you download the latest version of the antivirus and it gives you free 30 days trial which means that it can be fully updated to the latest definition files.

3) Once there, AFTER you scan the PC with these two programs could you also run Hijackthis (download from here) and post the log-file so I can have a look at it?

Thank you.

[jrink]

I am trying to run either f-prot or trsetup on an infected computer but it always says, "e:\trsetup.exe The specified path does not exist. Check the path, and then try again"

This happens whether its f-prot, trsetup, or even ANY program on the computer. How do I install those tools with this error occuring?

[Maceter]

Quote:

Originally Posted by laurentio

1) ... You have to be there to restart the PC after TR scan as TR takes Windows OS into a "frozen state" from where you have to physically restart the computer. Please read the scanning instructions carefully.
- I had a pair of hands local to the machine turn it off and restart it for me each time I have run it.

2) The above posted F-Prot link lets you download the latest version of the antivirus and it gives you free 30 days trial which means that it can be fully updated to the latest definition files.
- When I was talking about old def files, I was talking about the copy of f-prot that comes with Hiren's CD. I did the updates for the f-prot that I installed based on your instructions and have run that remotely, but I wouldn't know how to add the new def files to the copy of F-Prot that would run on Hiren's once I booted from that CD (presumably after changing the .iso).

3) Once there, AFTER you scan the PC with these two programs could you also run Hijackthis (download from here) and post the log-file so I can have a look at it?
- It will be another couple of hours before I'm there. I've run Hijackthis, the results are below. (I have to say I'm really enjoying these tools you're pointing out - I feel like I've been blind all this time. )
Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:40 AM, on 7/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\pycron\pycron.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA BA.EXE
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\buritos.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA BA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [buritos] buritos.exe
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: Pervasive.SQL Workgroup Engine.Lnk = C:\PVSW\Bin\w3dbsmgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9D1EFCF-5CA9-4831-9FEF-BCC0A8C4F4D3}: NameServer = 66.96.30.99,66.96.30.91
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Python Cron Service (PyCron) - Unknown owner - C:\Program Files\pycron\pycron.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

--
End of file - 6630 bytes

[Kristine]

There's a new one out - Appears to be sent from Jet Blue but it isn't really from them - I don't have a fix for it if a computer gets infected because thankfully my end user didn't open the zip file, but I thought I'd mention that there is a new offshoot of the UPS virus going around now....

The attachment is contains a zip file that has the Trojan.Zbot-1715 virus in it.

The text of the email is as follows:

-----Original Message-----
From: Cheryl Brandt JetBlue Airways [mailto:abrieljopi@boyerketchand.com]
Sent: Friday, July 25, 2008 6:14 AM
To: XXX@XXX.Com
Subject: Your order from {airlines} N8401582

Dear customers,
Thank you for using our new service "Buy airplane ticket Online" on our website.
Your account has been created:

Your login: XXXX
Your password: XXXX

Your credit card has been charged for $404.19.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the airplane ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Cheryl Brandt
JetBlue Airways

***end email

[jrink]

In addition to not even being able to run f-prot.exe and trsetup.exe, i can't use sdfix either. When booting in safe made and trying to run the runthis.cmd file, it gives me a "the system cannot find the file c:\windows]systems32\cmd.exe"

ANy ideas here?

[laurentio]

Quote:

Originally Posted by jrink

In addition to not even being able to run f-prot.exe and trsetup.exe, i can't use sdfix either. When booting in safe made and trying to run the runthis.cmd file, it gives me a "the system cannot find the file c:\windows]systems32\cmd.exe"

ANy ideas here?

move them all to C:\ drive, rename them then try again.
ex: TR to TR2.exe

[jrink]

I'm not sure I follow you. Everything I try to run that's an .exe doesn't work, regardless if it's on c:, e:, etc. or whether its tr.exe or tr2.exe.

Some programs work if i rename them to .cmd, but very few.


EDIT --- I was able to get trojan remover to work, but with the 7/23 (not 7/25) updates as I couldn't "update" since everything (including internet) was broken on the PC. However, running trojan remover with the 7/23 definitions (which is what was installed by default) and renaming it to .cmd from an .exe allowed it to run and remove the ups virus. After a reboot, a LOT more things are working (including .exe files). I'm still going to run F-prot just to be sure.