Infected .doc filesClosed

Question

Hello,  

I'm having problem with my document files. First, i scanned my external harddisk with Avira, after scanning, it detected 10k of infected files which is the TR/QuickBatch.Gen.It send the viruses into the quarantine then i deleted the viruses. 

After that, I've noticed that all my document files have the similar sized of 1kb and then I opened the document and it only written venom venom venom venom venom venom venom venom venom venom venom 666 Lucifer. 

All documents such as powerpoint, and excel has this kind of message written in it..

Can U help me...pls... 

Configuration: Windows 7 / Firefox 3.6.10

Ambucias · Answer

Hi Kiddo,

Sorry for the delay I was looking into my data bank about venom 666 Lucifer and TR/QuickBatch.Gen.

Seem that we have a description of the virus but no solution was ever found.  Most infected systems are either Spanish or Portugeese.  I checked on the French Kioskea forum and this issue was never discussed.

From my research, there are at least 100 files on your system which were either changed or infected and manual removal is not recommended.

I can prescribe to you a very potent medicinal compound which proved itself to be very efficient in many cases, however, I ignore at this time if it may cause ill effects on your system with the type of infection your have.

If you wish to try it, I will send it to you but it is at you own risk.

Another solution, if you are patient, is that I can call upon a virus expert from our French Kioskea.  But he may not reply today.  His user name is gen_hackman.

Let me know what you wish to do.

Regards

Ambucias · Answer

Hello again Racerkid,

I have put gen_hackman on your case.  I know that you don't speak French, but he can write English.  He is our best wizard when it comes to virus killing.

Trust him and do exactly as says and you will come out victorious.  The virus you have is very tough and nasty.

I will follow your progress and ensure the liaison between the two.

Good luck

RacerKid · Answer

hello sir,
i term of killing the virus yes i'm lost....
But i'm still here...sory for the late reply

RacerKid · Answer

owh ok sir...

gen-hackman · Answer

? Download here: UsbFix on your desktop   

connect all your peripherals without opening them   

/ "\ Disable temporarily and only time using UsbFix, the real-time protection of your Antivirus and Antispyware thy, which may hinder the search process significantly and cleaning tool.   

 if you have XP => double click   
if you have Vista or Windows 7 => right click "run as ...."   

Usbfix icon located on your desktop.   
On the page, click the button:   

? chose option  Remove    

? UsbFix scan your pc, let the tool work.   

? Then post the report UsbFix.txt that will appear with the office.   

? Note: The report is saved UsbFix.txt the root of the disk. (C: \ UsbFix.txt)   

(CTRL + A to select all, CTRL + C to copy and CTRL + V to paste)   
¤¤¤¤¤¤?G3?-?@¢??@?(TM)©®?¤¤¤¤¤&#164

RacerKid · Answer

############################## | UsbFix 7.027 | [Deletion]

User: RACERKID (Administrator) # RACERKID-PC [Gigabyte Technology Co., Ltd. EP43-UD3L]
Updated 28/09/10 by El Desaparecido / C_XX
Started at 17:40:29 | 30/09/2010
Website: http://www.teamxscript.org
Contact: FindyKill.Contact@gmail.com

CPU: Intel(R) Core(TM)2 Quad CPU Q8400 @ 2.66GHz
CPU 2: Intel(R) Core(TM)2 Quad CPU Q8400 @ 2.66GHz
Microsoft Windows 7 Ultimate  (6.1.7600 64-Bit) # 
Internet Explorer 8.0.7600.16385

Windows Firewall: Enabled
RAM -> 2046 Mb 
C:\ (%systemdrive%) -> Fixed drive # 83 Gb (58 Mb free - 69%) [] # NTFS
D:\ -> Fixed drive # 66 Gb (11 Mb free - 17%) [New Volume] # NTFS
E:\ -> CD-ROM
F:\ -> Fixed drive # 233 Gb (32 Mb free - 14%) [] # NTFS

################## | Files # Infected Folders |


Deleted ! C:\Users\RACERKID\AppData\Local\Temp\a.dat
Deleted ! C:\Users\RACERKID\AppData\Local\Temp\Bff.exe
Deleted ! C:\Users\RACERKID\AppData\Local\Temp\Bfg.exe
Deleted ! C:\Users\RACERKID\AppData\Local\Temp\Bfh.exe
Deleted ! C:\Users\RACERKID\AppData\Local\Temp\sshnas21.dll
Deleted ! C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Deleted ! C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Deleted ! F:\DIJAMANTE

################## | Registry |

Deleted ! HKCU\Software\3FWHZQA3LT
Deleted ! HKCU\Software\Microsoft\Handle
Deleted ! HKCU\Software\XML
Deleted ! HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr
Deleted ! HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\explorer|NoFind
Deleted ! HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\explorer|NoFolderOptions
Deleted ! HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\explorer|NoFolderOptions
Deleted ! HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\explorer|NoRun
Deleted ! HKCU\Software\Microsoft\Windows\CurrentVersion\Run|3FWHZQA3LT
Deleted ! HKCU\Software\Microsoft\Windows\CurrentVersion\Run|Metropolis

################## | Mountpoints2 |


################## | Listing |

[27/09/2010 - 02:08:20 | SHD ] 	C:\$Recycle.Bin
[29/09/2010 - 20:31:30 | RD ] 	C:\32788R22FWJFW
[30/09/2010 - 17:38:59 | RASHD ] 	C:\Autorun.inf
[27/09/2010 - 01:49:14 | SHD ] 	C:\Documents and Settings
[30/09/2010 - 16:23:24 | ASH | 1609424896] 	C:\hiberfil.sys
[27/09/2010 - 02:15:50 | A | 190] 	C:\Install.log
[27/09/2010 - 02:11:51 | D ] 	C:\Intel
[29/09/2010 - 22:30:34 | D ] 	C:\Kill'em
[29/09/2010 - 22:31:07 | A | 2082] 	C:\Kill'em.txt
[29/09/2010 - 22:30:34 | A | 24113] 	C:\List'em.txt
[01/12/2006 - 23:37:14 | A | 904704] 	C:\msdia80.dll
[30/09/2010 - 00:24:23 | RHD ] 	C:\MSOCache
[30/09/2010 - 16:23:32 | ASH | 2145902592] 	C:\pagefile.sys
[14/07/2009 - 11:20:08 | D ] 	C:\PerfLogs
[30/09/2010 - 00:26:05 | RD ] 	C:\Program Files
[30/09/2010 - 16:46:12 | RD ] 	C:\Program Files (x86)
[30/09/2010 - 17:28:50 | HD ] 	C:\ProgramData
[27/09/2010 - 01:49:14 | SHD ] 	C:\Recovery
[27/09/2010 - 02:13:46 | A | 1944] 	C:\RHDSetup.log
[30/09/2010 - 17:40:38 | A | 42104] 	C:\service.log
[30/09/2010 - 04:48:57 | SHD ] 	C:\System Volume Information
[30/09/2010 - 17:42:08 | D ] 	C:\UsbFix
[30/09/2010 - 17:40:39 | A | 3175] 	C:\UsbFix.txt
[27/09/2010 - 02:08:08 | RD ] 	C:\Users
[30/09/2010 - 08:52:59 | D ] 	C:\Windows
[27/09/2010 - 02:08:21 | SHD ] 	D:\$RECYCLE.BIN
[30/09/2010 - 17:39:02 | RASHD ] 	D:\Autorun.inf
[22/03/2010 - 18:54:42 | SHD ] 	D:\Config.Msi
[23/03/2010 - 18:35:27 | D ] 	D:\cyborg GirL
[30/07/2010 - 11:41:46 | RD ] 	D:\Desktop
[23/03/2010 - 18:36:14 | D ] 	D:\handsome suit
[29/09/2010 - 20:40:34 | RD ] 	D:\REPUBLIC OF GAMERSS
[06/04/2010 - 15:19:23 | SHD ] 	D:\System Volume Information
[11/05/2009 - 17:46:11 | D ] 	E:\ASSIGNMENTATION O POYOTION
[21/05/2010 - 17:13:21 | HD ] 	F:\$AVG
[27/09/2010 - 02:31:19 | SHD ] 	F:\$RECYCLE.BIN
[24/08/2010 - 23:57:32 | A | 228696] 	F:\3683677031_c92dd1ccbb_b.jpg
[19/08/2010 - 16:40:56 | A | 239254] 	F:\728.jpg
[19/08/2010 - 16:48:23 | A | 19485] 	F:\741.jpg
[19/08/2010 - 16:56:01 | A | 112083] 	F:\757.jpg
[02/08/2010 - 19:25:07 | A | 1104078] 	F:\AEWOLL.bmp
[16/08/2010 - 12:14:59 | A | 39371] 	F:\attachments_2010_08_16.zip
[30/09/2010 - 17:39:10 | RASHD ] 	F:\Autorun.inf
[23/09/2010 - 01:18:57 | A | 7877] 	F:\funny-cartoon-faces-001.jpg
[23/09/2010 - 01:19:03 | A | 7700] 	F:\funny-cartoon-faces-002.jpg
[23/09/2010 - 01:19:06 | A | 7583] 	F:\funny-cartoon-faces-003.jpg
[23/09/2010 - 01:18:46 | A | 8069] 	F:\funny-cartoon-faces-004.jpg
[23/09/2010 - 01:19:09 | A | 8298] 	F:\funny-cartoon-faces-005.jpg
[23/09/2010 - 01:19:12 | A | 8789] 	F:\funny-cartoon-faces-006.jpg
[23/09/2010 - 01:19:19 | A | 7974] 	F:\funny-cartoon-faces-007.jpg
[23/09/2010 - 01:19:22 | A | 7972] 	F:\funny-cartoon-faces-008.jpg
[23/09/2010 - 01:19:24 | A | 9724] 	F:\funny-cartoon-faces-009.jpg
[23/09/2010 - 01:19:27 | A | 8014] 	F:\funny-cartoon-faces-010.jpg
[23/09/2010 - 01:19:30 | A | 8305] 	F:\funny-cartoon-faces-011.jpg
[30/09/2010 - 00:56:07 | D ] 	F:\GAMESWARE
[28/09/2010 - 13:52:53 | A | 801] 	F:\KPMSIDB.php
[27/08/2010 - 01:24:09 | A | 4206758] 	F:\Mizz Nina Feat. Colby'O Donis - What You Waiting For-atansb.mp3
[09/09/2010 - 23:01:43 | HD ] 	F:\msdownld.tmp
[28/09/2010 - 20:26:53 | RD ] 	F:\MUSIC LISTENING
[28/09/2010 - 20:26:53 | D ] 	F:\My BLOGSPOT Project
[28/09/2010 - 20:26:53 | D ] 	F:\MY FAME OF PICTURES
[28/09/2010 - 20:26:45 | RD ] 	F:\MY VIDEO COLLECTIONS
[29/09/2010 - 22:46:28 | RD ] 	F:\MY WORKING DOCUMENTATION
[28/09/2010 - 09:44:22 | A | 13775872] 	F:\mYnEorIoN.fla
[28/09/2010 - 09:35:37 | A | 13427286] 	F:\mYnEorIoN.swf
[18/09/2010 - 12:24:24 | D ] 	F:\New music
[28/09/2010 - 20:15:30 | D ] 	F:\OTHERSWARE
[29/09/2010 - 18:20:56 | SHD ] 	F:\RECYCLER
[28/09/2010 - 08:22:44 | A | 80] 	F:\resume bam 2.doc
[28/09/2010 - 20:26:25 | RSHD ] 	F:\SAMU
[28/09/2010 - 20:26:21 | D ] 	F:\SOFTWARE
[29/09/2010 - 16:52:31 | SHD ] 	F:\System Volume Information
[28/09/2010 - 20:12:24 | D ] 	F:\website1
[28/09/2010 - 20:12:24 | D ] 	F:\website3
[28/09/2010 - 20:12:24 | D ] 	F:\website4

################## | Vaccin |

C:\Autorun.inf -> Folder created by UsbFix (El Desaparecido & C_XX)
D:\Autorun.inf -> Folder created by UsbFix (El Desaparecido & C_XX)
F:\Autorun.inf -> Folder created by UsbFix (El Desaparecido & C_XX)

################## | Upload |

Please send the file: C:\UsbFix_Upload_Me_RACERKID-PC.zip
https://www.ionos.fr/?affiliate_id=77097
Thank you for your contribution.

################## | E.O.F |

RacerKid · Answer

Is this the file u want?

gen-hackman · Answer

yes   

launch back usbfix and desinstall him   

would you like to give me C:\List'em.txt ?   

click on this link: http://www.cijoint.fr/   

? Click on Browse and look for the file C:\List'em.Txt   

? Click Open.   

? Click on "Click here to submit the file".   

Link to this:   

Http://www.cijoint.fr/cjlink.php?file=265368/cijSKAP5fU.txt   

is added to the page.   

?   Copy this link   in your answer.   

? Do the same with more.txt located on your desktop   
¤¤¤¤¤¤?G3?-?@¢??@?(TM)©®?¤¤¤¤¤&#164

RacerKid · Answer

Is this the file u wanted sir??


http://www.cijoint.fr/cjlink.php?file=cj201009/cijmCwdr7G.txt

http://www.cijoint.fr/cjlink.php?file=cj201009/cija3AgSZQ.txt

gen-hackman · Answer

ok if you have XP => double click if you have Vista or Windows 7 => right click "run as ...." ? Recovery List_Kill'em with the shortcut on your desktop. but this time: ? select the option Clean let the tool work. end of the scan window closes, and you have a report named Kill'em.txt on your desktop ? paste the contents into your reply ¤¤¤¤¤¤?G3?-?@¢??@?(TM)©®?¤¤¤¤¤¤

RacerKid · Answer

¤¤¤¤¤¤¤¤¤¤ Kill'em by g3n-h@ckm@n 2.1.0.8 ¤¤¤¤¤¤¤¤¤¤ 
 
User : RACERKID (Administrators) 
Update on 29/09/2010 by g3n-h@ckm@n ::::: 15.00
Start at: 10:30:34 PM | 9/29/2010

Intel(R) Core(TM)2 Quad CPU    Q8400  @ 2.66GHz
Microsoft Windows 7 Ultimate  (6.1.7600 64-bit) # 
Internet Explorer 8.0.7600.16385
Windows Firewall Status : Enabled

A:\ -> 3 1/2 Inch Floppy Drive
C:\ -> Local Fixed Disk | 83.31 Go (57.99 Go free) | NTFS
D:\ -> Local Fixed Disk | 65.64 Go (11.3 Go free) [New Volume] | NTFS
E:\ -> CD-ROM Disc
F:\ -> Local Fixed Disk | 232.88 Go (31.88 Go free) | NTFS

¤¤¤¤¤¤¤¤¤¤ Files/folders : 

Quarantined & Deleted !! : C:\ProgramData\ihfeumzb.qzk 
 
Quarantined & Deleted !! : C:\Windows\Temp\DMIC16B.tmp 
Quarantined & Deleted !! : C:\Windows\Temp\TS_972B.tmp 
Quarantined & Deleted !! : C:\Windows\Temp\TS_99CC.tmp 
Quarantined & Deleted !! : C:\Windows\Temp\TS_9A4A.tmp 
Quarantined & Deleted !! : C:\Windows\Temp\TS_9CEB.tmp 
Quarantined & Deleted !! : C:\Windows\Temp\TS_9EA1.tmp 
Quarantined & Deleted !! : C:\Windows\Temp\TS_9F10.tmp 
Quarantined & Deleted !! : C:\Windows\Temp\TS_9FCC.tmp 
Quarantined & Deleted !! : C:\Windows\Temp\TS_A655.tmp 
Quarantined & Deleted !! : C:\Windows\Temp\TS_AFAD.tmp 
Quarantined & Deleted !! : C:\Windows\Temp\UDD7A9F.tmp 
Quarantined & Deleted !! : C:\Users\RACERKID\AppData\Local\GDIPFONTCACHEV1.DAT 
Quarantined & Deleted !! : C:\Users\RACERKID\Local Settings\Temp\amt.log 
Quarantined & Deleted !! : C:\Users\RACERKID\LOCAL Settings\Temp\jre-6u20-windows-i586-iftw-rv.exe 
Quarantined & Deleted !! : C:\Users\RACERKID\LOCAL Settings\Temp\ose00000.exe 
Quarantined & Deleted !! : C:\Users\RACERKID\LOCAL Settings\Temp\SecuExp.exe 
Quarantined & Deleted !! : C:\Users\RACERKID\LOCAL Settings\Temp\catchme.dll 
Quarantined & Deleted !! : C:\Users\RACERKID\LOCAL Settings\Temp\drm_dialogs.dll 
Quarantined & Deleted !! : C:\Users\RACERKID\LOCAL Settings\Temp\drm_dyndata_7400009.dll 
 
¤¤¤¤¤¤¤¤¤¤ Hosts ¤¤¤¤¤¤¤¤¤¤

127.0.0.1       localhost   

¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤

RacerKid · Answer

Sir..it only clean the C directory....how about the my external hardisk?
I'm curious since i'm a beginner.

gen-hackman · Answer

it cleans every plugged in disks

it deletes only the unnecessary files (temporary , recycle bin , etc....) 
¤¤¤¤¤¤?G3?-?@¢??@?(TM)©®?¤¤¤¤¤&#164

RacerKid · Answer

sir...

My doc file in external harddisk still written venom venom venom 666 lucifer

gen-hackman · Answer

is it that ? 

F:\ -> Fixed drive # 233 Gb (32 Mb free - 14%) [] # NTFS

RacerKid · Answer

Yup...but i have only 31.8GB free space....

gen-hackman · Answer

you know that ? : 

F:\mYnEorIoN.fla 
F:\mYnEorIoN.swf  
¤¤¤¤¤¤?G3?-?@¢??@?(TM)©®?¤¤¤¤¤&#164

RacerKid · Answer

Yes...

What about that file sir??

gen-hackman · Answer

hailed me the name ....   

Downloads  SF.exe of C_XX    


* Double click on SF.exe (Run as administrator for vista / 7).   

* A window "cmd" will open.   

* Tape venom in this window ,    

tick the MD5 case and [Enter].   

* Wait during the search.   

* A window will appear with a log.txt.   

* Copy / paste that report into your next reply.   


¤¤¤¤¤¤?G3?-?@¢??@?(TM)©®?¤¤¤¤¤&#164

RacerKid · Answer

1. ========================= SEAF 1.0.0.8 - C_XX
2. 
3. Commencé à: 22:45:19 le 30/09/2010
4. 
5. Valeur(s) recherchée(s):
6. venom
7. 
8. (!) --- Calcul du Hash "MD5"
9. 
10. ====== Fichier(s) (TC: Date de création, TM: Date de modification, DA, Dernier accès) ======
11. 
12. 
13. "D:\REPUBLIC OF GAMERSS\RollerCoaster Tycoon 3\Coaster Designs\[StandupCoaster]Venomous.trk" [ ----A---- | 69 Ko ]
14. TC: 28/09/2010,18:30:37 | TM: 10/05/2005,10:01:48 | DA: 28/09/2010,18:35:09
15. 
16. Hash MD5: F823DCDEC33E7EFDA1E7063E9DA4BBCD
17. 
18. 
19. =========================
20. 
21. 
22. =========================
23. 
24. Fin à: 22:45:56 le 30/09/2010 ( E.O.F )
25. 
26. =========================

gen-hackman · Answer

ok I think we're gonna use DrWeb

? Download [Dr Web CureIt ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe] on your desktop:

? restarts in Safe mode

? - Double click (right click "as admin" in Vista / 7) and then clicking <drweb-cureit.exe> <Analyse>;

? - Click <Ok> to prompt rapid analysis. If it finds the process infected then click the button <Yes>.

Note: A window will open with options to "Order" or "50% discount": Exit by clicking the "X".

? - When the fast scan is complete, click on the menu then <Options> <Changing <config; <scanner> Choose the tab, and uncheck <Analyse heuristique>. Then click on <Ok>.
? - Back in the main window: click to activate <Analyse complète>

selects all drives

? - Click the button with green arrow on the right and the scan will begin.
? - Click <Yes> for all at the prompt "Disinfect?" when a file is detected, and then click "Disinfect".
? - When the scan is complete, see if you can click on the icon adjacent to the files found (several leaves on top of one another). If yes, then click and then click on the icon <Next>, below, and choose Quarantine <Déplacer l'objet indésirable>.
? - From the main menu of the tool at the top left, click on the menu and choose <File> <Save the report>. Save the report to your desktop. The latter will be called DrWeb.csv

?-for the report you registered on your desktop, you right click / send to / compressed folders

Then:

you send me the archive like this:

click on this link: http://www.cijoint.fr/

? Click on Browse and look for the above file.

? Click Open.

? Click on "Click here to submit the file".

Link to this:

http://www.cijoint.fr/cjlink.php?file=cjge368/cijSKAP5fU.txt

is added to the page.

? Copy this link to your response.

? - Close Dr.Web CureIt
? - Restart your computer (important because some files can be moved / repaired on reboot).

gen-hackman · Answer

My doc file in external harddisk still written venom venom venom 666 lucifer

say me more about that

is this the name of your doc file or what is written inside ?

RacerKid · Answer

Ok sir,

Its my document of office words, excel, and powerpoint.....I saved many of my files in my external harddisk. But then i just found out that after I plugin into my lab's computer, and i scanned it with my Avira with my pc.....it detects sooo many viruses up to 10000 viruses detected...

Therefore i've deleted all the viruses in the quarantine...And then i checked in my external to see if there is any file or folder missing....

I become shocked for what i saw that all the document including words,excel and powerpoint were sized of 1kb only.......then i open the file all it says venom venom venom venom venom venom venom venom venom 666 Lucifer

All my document were written like that.....my resume, assignment, journal was all written with that sentenced.


Other than that, I checked the properties of the document file.......stated that the size of the file is 80bytes and size on disk stated 4.00kb........

How can i retrieve back my document sir.....

plz help me......the doc is important to me.....the external is the only backup i have.......

gen-hackman · Answer

ok

? Download [Dr Web CureIt ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe] on your desktop:

? restarts in Safe mode

? - Double click (right click "as admin" in Vista / 7 ) and then clicking <drweb-cureit.exe> <Analyse>;

? - Click <Ok> to prompt rapid analysis. If it finds the process infected then click the button <Yes>.

Note: A window will open with options to "Order" or "50% discount": Exit by clicking the "X".

? - When the fast scan is complete, click on the menu then <Options> <Changing <config; <scanner> Choose the tab, and uncheck <Analyse heuristique>. Then click on <Ok>.
? - Back in the main window: click to activate <Analyse complète>

selects all drives

? - Click the button with green arrow on the right and the scan will begin.
? - Click <Yes> for all at the prompt "Disinfect?" when a file is detected, and then click "Disinfect".
? - When the scan is complete, see if you can click on the icon adjacent to the files found (several leaves on top of one another). If yes, then click and then click on the icon <Next>, below, and choose Quarantine <Déplacer l'objet indésirable>.
? - From the main menu of the tool at the top left, click on the menu and choose <File> <Save the report>. Save the report to your desktop. The latter will be called DrWeb.csv

?-for the report you registered on your desktop, you right click / send to / compressed folders

Then:

you send me the archive like this:

click on this link: http://www.cijoint.fr/

? Click on Browse and look for the above file.

? Click Open.

? Click on "Click here to submit the file".

Link to this:

http://www.cijoint.fr/cjlink.php?file=cjge368/cijSKAP5fU.txt

is added to the page.

? Copy this link to your response.

? - Close Dr.Web CureIt
? - Restart your computer (important because some files can be moved / repaired on reboot).

gen-hackman · Answer

hello are you lost ? ^^

RacerKid · Answer

Hello sir....sorie for the late reply........since i was studying

The DOctor web is very difficult for me..........


Its ok sir......i'll stop this matter for now.......i'm giving up......its getting harder n harder........

Thank You for both of u for helping me.....i really appreciate it....

gen-hackman · Answer

ok sorry for the late reply too

it's not really so difficult....^^

Infected .doc files

27 responses

Similar discussions

Subscribe To Our Newsletter!