Exotic Virus Attack... Again!!!

[gsoul2soul]

Just my luck... i guess!!!

This is happening to me... everytime i put my pen-drive

It gets an icon... and inside i can see files like "Autorun", "iesetup.exe", "explorer.exe"

It won't go... so i guess something is inside my computer. And when i checked the task manager there are couple of instances of: "dxdlg.exe" running with "wscript" also

What shall i do... i have avast... anything else i need to do or install

Help... is it something called "lizard tail?"

help... SOS

 

[skeletor]

Its a virus. Scan your PC with NOD32 3.0 or Kasprsky...........

 

[gsoul2soul]

I do have Avast... but that's not enough?

 

[Krazy_About_Technology]

Nope. Avast is ineffective again many of the Flash drive based viruses. NOD 32 is the best antivirus i have seen in my life. It doesn't affects the performance of system a bit and yet provides complete heuristics based protection against old and new viruses. Its update system is also quiet responsive. Try it, it'll will solve all your virus problems. Trust me.

 

[khattam_]

Just download HijackThis from *www.majorgeeks.com/download3155.html and then scan and save a logfile and then post the contents of logfile here.....

Lets see what this virus is doing..

 

[gsoul2soul]

okay...then

Thanks "khattam" for that tip!!

Here's the Log from "hijack this"

**********************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:03 PM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dxdlg.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Yahoo!\Messenger\Y!Multi Messenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Download Manager\IDMan.exe
D:\Temp\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=explorer.exe wproxp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\boot.vbs
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [imapd] "C:\WINDOWS\system32\imapd.exe" -at
O4 - HKUS\S-1-5-19\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'Default user')
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7EB624E-57C6-460A-B3EC-374E78883389}: NameServer = 202.79.32.33 202.79.32.35
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--
End of file - 5415 bytes

 

[skeletor]

I guess C:\WINDOWS\system32\dxdlg.exe is creating problems.

Have a look at these links:
*www.spywareremove.com/removeLizardsTail11.html
*www.securitystronghold.com/gates/lizards-tail-1.1.html

 

[Batistabomb]

first delete autorun.inf file from each drives , but these files are visible only when you uncheck all the three items from tools->folder options , i.e; show hidden files and folders and the other two below it

 

[nileshgr]

I know what it is to face malicious things on your pc. That's the reason i moved off to Linux. When I had Windows XP, I nearly have removed about 20 viruses, 40 trojans, 2 adwares & 1 spyware using Avast. I never can forget this incident!

 

[gsoul2soul]

Thanks you guys... but this one is exotic!!

I can't remove dxdlg.exe whatever i do... and one thing !!

whenever i put a pendrive... it will just put 3 files!!

autorun, iesetup.exe and explorer.exe

And the funny thing is... when I scan it with Avast it won't detect it as virus !!
even Nod32 couldn't

I checked all my folder... no autorun or anything!!!

This thing just comes... when i use a usb drive!!

 

[gaurav_indian]

^lol is this hard enough to understand that your pen drive has a virus in it?Even if you remove virus from your system.Inserting your pen drive again will cause problems.Download this software

*www.comodo.com/boclean/boclean.html

and restart your pc and then it will disable those files.And dont forget to update it.

 

[skeletor]

@gsoul2soul
Do one thing then. Boot from Linux and delete the files from your Pendrive.

 

[khattam_]

okay...then

Thanks "khattam" for that tip!!

Here's the Log from "hijack this"

**********************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:03 PM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dxdlg.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Yahoo!\Messenger\Y!Multi Messenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Download Manager\IDMan.exe
D:\Temp\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=explorer.exe wproxp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\boot.vbs
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [imapd] "C:\WINDOWS\system32\imapd.exe" -at
O4 - HKUS\S-1-5-19\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'Default user')
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7EB624E-57C6-460A-B3EC-374E78883389}: NameServer = 202.79.32.33 202.79.32.35
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--
End of file - 5415 bytes

The problems are boldened above....

Download Process Explorer from:
www.microsoft.com/technet/sysinternals/ ProcessesAndThreads/ProcessExplorer.mspx

Download Autouns From:
www.microsoft.com/technet/sysinternals/ ProcessesAndThreads/Autoruns.mspx

Run Process Explorer and Kill the Following Processes:
wscript.exe
dxdlg.exe

Run Autoruns and under logon tab, remove
C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\boot.vbs
Search for entries named wproxp and remove it

Remove the following files from your PC:
C:\WINDOWS\system32\dxdlg.exe
wproxp.exe (Most probably in your system32 or windows folder)
C:\WINDOWS\system32\boot.vbs

DO NOT REMOVE wscript. It is a windows application for executing vbs files.

This shud do. Please post your HijackThis log file after rebooting.

 

[dOm1naTOr]

Anybody knows bout the virus nemed "FUNNY UST SCANDAL.avi.exe" ?
It has got into my PC, nd its in every drives root.
There is no autorun files like *.ini etc and they just come back if deleted after a refresh. It came via pendrive.
I cant access taskmgr,eventvwr,or most major system utilities nd all AV s/w except AVG will not get installed. The installer vanishes. Same is in safe mode.
And ive a bootable live windows disc which caches files temporarly on HDD, nd using that i deleted all files named the above one from all partitions, but when i boot again it comes back. There are some builtin AV s/w in that disc like NOD32, Karspersky etc which all failed to detect the virus.

I dun wanna reinstall windows coz ill have to reinstall many games too like Crysis [discs are now at friends place]. SO suggest any idea guys.
Ive another PC which has not yet infected, thanks my lan card was already broken.

 

[j1n M@tt]

^^ check %systemroot%\system32\

look whether there r any unusual .exe ....or any script files.

..........open up d script file to find out which .exe file in the %systemroot%\ it is calling up with a time delay(like 30msec to regenerate dat virus again).

I dun wanna reinstall windows coz ill have to reinstall many games too like Crysis [discs are now at friends place].

domi.........eeeeee piracy......*gigasmilies.googlepages.com/35.gif

 

[dOm1naTOr]

Whenever i open system directories like SYStem32, or drivers, the windows closes automatically nd im not able to open or view any event logs/scripts etc. Everythin just quits even in safe mode.
And i cant access those events from the live discs as well.

And bout the discs, if it were pirated then he[friend] ll have easily made copies of it nd returned it.

 

[j1n M@tt]

Whenever i open system directories like SYStem32, or drivers, the windows closes automatically nd im not able to open or view any event logs/scripts etc. Everythin just quits even in safe mode.
And i cant access those events from the live discs as well.

hey buddy ,try by Run.. cmd promt.

And bout the discs, if it were pirated then he[friend] ll have easily made copies of it nd returned it.

....v the pirates???

 

[skeletor]

@dOm1naTOr

Download this: *rs10.rapidshare.com/files/77599047/FixFunny.rar

 

[dOm1naTOr]

thnx, but that file helped in deleting the file nd was not restored on refresh. But still taskmgr, eventvwr etc were closing automatically nd the funny file was restored on restart.
Shud i try running it from live windows?

 

[j1n M@tt]

^^ after using dat tool try using an anti-virus.....or repair/reinstall ur windows with XP disc.....so it won't remove ur already installed games.....