New Win32 virus that persists after previous system image is restored

[lightyear]

<originally posted in the general forum yesterday, reposting here by direction with HIJACKTHIS log results>

Hi, everyone. In my 10 years or so of using Windows, I have come across a virus just a handful of times, but none have been as difficult of boggling to address then the "New Win32" virus (per McAfee VirusScan Enterprise 8.5.0i) that I picked up last night.

Yes, I was logged on with admin rights - yes, I know that was bad bad bad. I needed to burn some images and I realized some time ago I couldn't do so using Nero as a limited user, so I changed my account type to do so and, unluckily caught this virus.

I was browsing with Firefox when all of a sudden I saw a pop-up in my systray warning me that my anti-virus software was turned off. I found that strange since it's always running. I reactivated it right away but noticed FF crashed and when I re-started it my homepage had been changed. I knew something was up so I rebooted and that's when I noticed I had strange shortcuts on the desktop. I rebooted again in safe mode and ran a scan, with the results that 100 items were detected. Upon scanning the list I noticed that many of them were normal program file .exe's that had been deleted after detection as "New Win32" virus. After that cleanup I rebooted and tried running some of those programs - none of which would run because the .exe files had been deleted.

I have been using Ghost 2003 as a safety tool for years. I used a boot disc to run a restore to the last image I made on June 30th of this year - so just a month ago. That image as clean, as was my computer for all the time up to last night. This is where things get strange... after restoration and reboot, the virus is still there! They are still program file exe's that are on the C drive.

I have a partitioned hard drive with the operating system on C and my various other files on the remaining drives (3 others, for 4 total drive, including C). I had long ago re-mapped my My Documents folder and some other folders to one of the other partitions. Fearing that some remnant of the virus could be on one of the other drives I scanned every file on every drive and found nothing, then restored the image again. Still, the virus persists and my exe's begin being deleted almost immediately upon reboot.

On the last restoration, I rebooted directly into safe mode with networking. I updated ad-aware and spybot in safe mode then ran scans. Nothing was found. I could not update McAfee in safe mode. I then rebooted in normal mode to find the problem was still present.

This is very strange to me that restoring my computer to an image from a month ago when it was fine (using Ghost, not system restore) still ends up with me having the virus. Again, I scanned all the files on every other partition. Does anyone have any ideas?

==========  Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:44 PM, on 8/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\Program Files\Virtual Account Numbers\BhoCitUS.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\DELL\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPUsageTracking] c:\Program Files\HP\HP UT\bin\hppusg.exe "c:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [hpbdfawep] c:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [DELL Webcam Manager] "C:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\lightyear\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\lightyear\reader_s.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - HKUS\S-1-5-18\..\Run: [lightyear] C:\Documents and Settings\lightyear\lightyear.exe /i (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\lightyear\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [lightyear] C:\Documents and Settings\lightyear\lightyear.exe /i (User 'Default user')
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\Dropbox.exe
O4 - Startup: HotSync.lnk = Z:\lightyear\My Documents\Palm\Hotsync.exe
O4 - Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: mute.lnk = C:\Program Files\Mute\mute.exe
O4 - Global Startup: setvol.lnk = C:\Program Files\SetVol\setvol.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Virtual Account Numbers - {DE700910-58F7-4D2E-B7E6-3BA2DA1B6806} - C:\PROGRA~1\VIRTUA~1\CitiVAN.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235695026656
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Google Update Service (gupdate1c9e58f9e5c8a9e) (gupdate1c9e58f9e5c8a9e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Mozy, Inc. - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

--
End of file - 9147 bytes

[Karnac]

You appear to have a serious infection.

Three of your entries indicate the presence of reader_s.exe This is part of the virut family.

Evilfantasy recommends a reformat and reinstall when dealing with this infection.

Below is a previous link to give you some idea of what you are up against,

http://www.computerhope.com/forum/index.php?topic=81565.0

Below is another link with more info....

http://www.prevx.com/filenames/X95641287803391636-X1/READER5FS.EXE.html

Virus removal tools for this infection have proved inneffective.....

Consult evilfantasy when he returns for his expertise and direction, I posted this to alert you to the password and banking issues so you can avoid further problems in the meantime.

[lightyear]

Hi, karnac

I believe I was kind of ready for what you told me because I had used the hijackthis log myself to serach for some answers (I have never used the tool before). Everything I have read about reader_s is scary, to put it lightly.

I wanted to ask you or any other members for some pointers in the meantime. I am concerned about my other laptop and desktop computer - as well as my work computer (which is "connected" in a different way).

In trying to address the problem on my laptop (the known affected system) last night I had to transfer a handful of files via usb drive from it to the other laptop last night. During all this, I also used an external drive to back up many files on that second laptop last night. Now, nothing out of the ordinary occurred on any system aside from the original affected one last night - or even now. I wanted to make sure this is the case and that they aren't actually infected. Is it fair to say that running a hijackthis log in normal mode on any other system I believe could be affected would reveal infection? Perhaps along with a virus scan in safe mode? Do you think the lack of any results would be a fair assumption of non-infection?

On a related note - the affected system is running an application called "dropbox" http://www.getdropbox.com/ that syncs files in certain folders across systems. That is, I place any files I want sync'd across my home (affected) laptop and my work computer in a dropbox dedicated folder and it syncs. Running the "rmvirut" tool from AVG revealed a number of files "cleaned" that were in that folder. I showed no signs of infection today on my work computer but I intend to perform a check as stated in the preceding paragraph - based on answers to the concerns raised there.

Thank you, and everyone else for their help. My mind is in disarray right now as I try to deal with this.

[Karnac]

lightyear,

It is an insidious worm that just keeps replicating.....I responded to your query since I recognized the severity of the infection and thought you should know the implications.....You'll have to wait for evilfantasy or CBMatt to guide you through this and answer all your questions regarding your other pcs'.....In addition I would be hesitant to send any emails from these machines until you get it sorted out. Good Luck.

[Shandy]

Disconnect the infected machine from your network, also don't use any removable medias, such as USB pens and phone storage in the infected computer, the virus may copy itself to those drives and then copy itself to any machine they are then plugged into.

[lightyear]

Unfortunately for me, I wasn't aware of what the infection was capable of before taking the steps I should have (as you outlined above). I did share a USB flash drive as well as a couple of external drives with the computer. My main concern at the moment is containment. I am obviously taking precautions now but first need to make sure the other systems and peripherals that may have been affected are not.

On each other system, I am running, in safe and normal modes, the following things:

- Hijackthis (and then searching the log specifically for any instance of "reader_s".
- running the "rmvirut" tool (with downloaded file: "rmvirut.nt") downloaded from: http://www.avg-antivirus.com.au/avg_virus_removal.htm
- running Cureit from Dr. Web: http://www.avg-antivirus.com.au/avg_virus_removal.htm
- running "FixVirut" from Symantec: http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-022016-4444-99
- running Kaspersky Virus Removal Tool from: http://www.softpedia.com/get/Antivirus/Kaspersky-Virus-Removal-Tool.shtml
- running malwarebytes

I also:

- do a system search for any instances of "reader_s" in the Documents & Settings and System32 folders
- search for any instances of "reader_s" in the registry (<-- my heart still stops at every stop on Adobe's reader_sl file and a summary of search terms that already included the term "reader_s".)


At this point I have three questions about my containment attempts:

1) If, after taking the above steps, there are no traces or indications of reader_s, can I assume that system is not affected?

2) Is it necessary to run the above steps in safe mode, then normal mode - or even normal mode, then safe mode?

3) How do I go about safely addressing a USB drive or external drive. Plugging them into a system that was previously unaffected (due to non-contact) or as determined by non-detection of the above steps endangers that machine, no? Do I plug them in, risking infection, but then perform the above steps to ensure non-infection?

[kpac]

1) If, after taking the above steps, there are no traces or indications of reader_s, can I assume that system is not affected?

No, unfortunately.

2) Is it necessary to run the above steps in safe mode, then normal mode - or even normal mode, then safe mode?

Won't make any difference.

3) How do I go about safely addressing a USB drive or external drive. Plugging them into a system that was previously unaffected (due to non-contact) or as determined by non-detection of the above steps endangers that machine, no? Do I plug them in, risking infection, but then perform the above steps to ensure non-infection?

You cannot transfer any .exe, .dll, .src, .html, .zip, .rar files to the devices. They could also be infected, as well as a few more file types.

I'm sorry to put everything the way I did, but there is only one outcome with this virus. Just to show what I mean, re-run a scan of Dr Web CureIt and post the results of the scan.

[lightyear]

This is incredible. I can't believe how powerful this thing is. I don't even want to touch computers any more. This is the result so far.

== Laptop patient zero - infected. Didn't know what was wrong, attempted Norton Ghost restoration but could not run program without a boot cd. Could not create cd but necessary files were on this infected laptop. Used USB drive to transfer needed files to another laptop for cd burning.

This laptop has been restored to old image again, but not booted in normal mode yet. Have been running scans and tools. Condition remains to be determined. Many files on this laptop are needed - mainly image files (photographs).

== Laptop two - inserted usb drive from infected laptop patient zero. Burned discs. In fear, yet not realizing what the infection was yet, connected external drive to back up files.

This laptop has been scanned using all steps from above post. Some results were found but none indicative of the reader_s culprit. Dr. Web's Cureit found 4 files:one was a program file tweaki.exe for which the result of the scan said "probably worm" or something like that and the other 3 in the system restore volume. The same files from that volume were also found by malwarebytes and identified  as Adware.MyWeb. I do not believe either of these are reader_s related... also because of the following:

- Hijackthis logs indicate no reader_s
- RMVirut finds 0 infected
- no reader_s in a regedit search
- FixVirut (Symantec) found 0 infected
- kaspersky found 0 infected
- Dr. Web no longer finds anything on a second run.

I **believe** (hope) this system is clean, even though it was connected to a flash drive that was used to transfer files from the infected computer (see next system)

== Work computer - Infected???!

I used a program called Dropbox on my original infected laptop which syncs files to my work computer. An RMVirut scan of the infected original laptop showed infected (now cleaned) files that resided in the directory that syncs. I had already used my work computer yesterday before I saw the results of this scan. This morning (just now) I had the computer in safe mode and ran:

- Hijackthis - with no reader_s entries found.
- Mcaffee Virusscan enterprise (native to the system) - no viruses found
!!! - RMvirut - infected files found - cleaned. These were files from the Dropbox directory - so it must have syncs over at some point while the laptop was connected to the internet.

I am still running scans on this system now. I am currently on another computer but am now practically afraid for my life. I had used a clean USB drive on this system to download more scanning tools and then used that USB drive to get them on my work computer. Major question: can this virus travel from system to computer in safe mode if I don't exchange an infected file myself?