Virus Help Needed

ionbasa · 31 Mar 2011

Just today I got an Virus on one of my home computers. It disabled MSE and disallows me from accessing any resources, running programs, or starting the task manager or system tools like cmd.

I can still access Safe Boot mode and ran MSE from safe boot, but the virus/ rouge AV is still on the computer, other than that It turns the desktop a blue color and floods my router with high pings, I can see this from router logs.

Here are some pics, I had to take them with my cell because it disabled the Snipping Tool.

Any help on removing this rouge AV would be much appreciated!

Maguscreed · 31 Mar 2011

boot in safe mode with networking
Safe Mode

If that keeps it from launching at that point you can download install and allow to update malwarebytes antimalware
Malwarebytes (free version)

Run a full scan and let it do it's thing and clean it out.
That should return you to a position where you can boot normally.

If you can't launch any applications the attached file should return that to normal (all this still needs to be done in safe mode.)

ionbasa · 31 Mar 2011

I am able to boot into safe mode and am running a full scan with malwarebytes right now, I will post the log files as soon as it finishes.

Maguscreed · 31 Mar 2011

when it's done it will give you the option to clean up the mess it finds on the ...bottom right I believe, it's been so long since I was actually infected with anything I'm not sure I'm remembering that little detail right.

It does a great clean up job though.
It should get rid of the problem.
Worst case scenario is afterwards you'll need to use startup repair to get it booting right again.
Startup Repair

We don't want to use system restore right now though, as the restore files may actually contain the virus. Depending on how sneaky it was.

ionbasa · 31 Mar 2011

Maguscreed said:

when it's done it will give you the option to clean up the mess it finds on the ...bottom right I believe, it's been so long since I was actually infected with anything I'm not sure I'm remembering that little detail right.

It does a great clean up job though.
It should get rid of the problem.
Worst case scenario is afterwards you'll need to use startup repair to get it booting right again.
Startup Repair

We don't want to use system restore right now though, as the restore files may actually contain the virus. Depending on how sneaky it was.

OK, Its been running the scan for about 35 minutes now, I have used MalwareBytes before and I know what you mean about having to go back and deleting the files because it Quarantines them.

ionbasa · 31 Mar 2011

I successfully managed to remove the infected files, I have included the log files, I ran a quick scan first and then a full scan.
mbam-log-2011-03-31 (20-00-54).txt

Code:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

3/31/2011 8:00:54 PM
mbam-log-2011-03-31 (20-00-54).txt

Scan type: Quick scan
Objects scanned: 154371
Time elapsed: 3 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fCd16633iHkPb16633 (Trojan.Agent.Gen) -> Value: fCd16633iHkPb16633 -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\fcd16633ihkpb16633\fcd16633ihkpb16633.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\Users\basa\local settings\temporary internet files\Content.IE5\ZWQ3XI6W\download[1].exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

mbam-log-2011-03-31 (20-47-25).txt

Code:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6231

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

3/31/2011 8:47:25 PM
mbam-log-2011-03-31 (20-47-25).txt

Scan type: Full scan (C:\|)
Objects scanned: 269605
Time elapsed: 41 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\basa\AppData\Local\microsoft\Windows\temporary internet files\Low\Content.IE5\60IKWZ5T\antispy2011setup[1].exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\Users\basa\AppData\Local\microsoft\Windows\temporary internet files\Low\Content.IE5\N6JD1KBM\antispy2011setup[1].exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\Users\basa\AppData\Local\microsoft\Windows\temporary internet files\Low\Content.IE5\N6JD1KBM\antispy2011setup[2].exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

Borg 386 · 01 Apr 2011

Here are a couple of other options in case Malwarebytes doesn't get it out of the system. Even if MB does remove it, it would be a good idea to run your AV or these tools and do a full system scan while disconnected from the net. Once you get a virus, it's hard to tell how much of it is left behind. And unfortunately, even one tiny file can cause it to come back and reinstall.

Microsoft Windows Malicious Software Removal Tool

Download details: Microsoft® Windows® Malicious Software Removal Tool (KB890830) x64

Norton Power Eraser

http://security.symantec.com/nbrt/np...origin=default

Golden · 01 Apr 2011

Hi ionbasa,

Looks like Malwarebytes did the trick - its very good software.

As an additional check, can I suggest performing an online scan using the ESET on-line scanner? This just helps to give some comfort that nothing has slipped through the cracks.

Regards,
Golden

Hopalong X · 01 Apr 2011

Below is courtesy of JACEE!

I just copied and pasted.
You can run it in safe mode with network if needed.
Also when done you can leave the download which is definitions on your PC and next time it will just update definitions and run.
Much quicker if needed again later.
First time I used it was for testing. The second time I was actually doing a virus check as you would be doing.
Saved 5-10 minutes on second run.
Mike

See if Eset finds anything ...

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
1. Click on to download the ESET Smart Installer. Save it to your desktop.
2. Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

ionbasa · 01 Apr 2011

okay, Thank you for all the help, MB fixed it and than ran eset and all was clean.