Virus issue, need help ASAP.

Laith · 01 Mar 2016

So, I've had this virus for a couple of weeks now and it has annoyed me, I've tried running Malwarebytes around 10 times now with no success, it detects the file, deletes it but it re-creates. It's until today the virus really scared the living soul out of me. It started to do some VERY weird noises, i thought that was in-game noise, but no. I believe that this is the viruses noise. I'm currently in safe mode writing this, I'll attach a picture of what Malwarebytes detected, I'm gonna install and run an antivirus aswell, I'll download ESET and check. Gonna edit this post when MBAM is done.
These are the symptoms i've been getting:
Taskmgr being disabled
regedit being disabled
Security Center being disabled.
I hope i can fix this ASAP because this is scaring the living crap out of me.

Laith · 01 Mar 2016

So i found out a little more about the virus, it does infact recreate itself. I have no idea if the sounds were coming from the virus or not, but i believe so. dioqaw.pif is the file that it recreates each time you remove it. Should i give this virus to someone to analyze? I'll attach what MBAM gave me. But seriously, what should i do? I'm too scared to go back to normal mode, but if i don't go back to normal mode i won't be able to install any antivirus. I'm desperate.

MoxieMomma · 01 Mar 2016

Hi, @Laith:

Without seeing the full scan log, it's hard to say for sure.
But that appears to be a non-viral trojan in your recycle bin (so have you tried to empty your recycle bin??)/

For the record, MBAM should be run in Normal Windows mode whenever possible, in order to work best.
Safe Mode scanning is not routinely recommended, as MBAM cannot work fully.
If you cannot scan in Normal mode, a better choice than scanning in Safe Mode would be to use the Chameleon technology.
There are many helpful articles about Chameleon here: Chameleon Knowledge Base

That said, some malware (especially certain rootkits) require the use of multiple, specialized tools (and often, customized scripts), in the correct sequence, for full removal.

If @jacee or someone else with malware removal expertise doesn't come along, you might want to head over to one of the reputable computer disinfection fora for a bit of free, expert help.

HTH,

MM

Laith · 01 Mar 2016

Hey Moxie, I've run Malwarebytes many times in normal mode, this is the first time i do it in safemode, it all returns the same result. If i have to i'll consider reinstalling Windows.

MoxieMomma · 01 Mar 2016

Hi:

Thanks for the update.
My point, however, was that if MBAM cannot fully remove it in Normal mode, it's unlikely to be able to do so in Safe mode, either. MBAM needs full access to the system and drivers to work to full capacity.
The Chameleon technology assists MBAM in running on a heavily infected system, and is preferred to Safe Mode scanning.

Reinstalling Windows seems like overkill for what might be malware that can be removed with a bit of expert help and perhaps other tools (such as anti-rootkit specialty scanners).
And if the malware has created hidden partitions or is respawning (e.g. from Google sync), then reinstalling Windows on the OS partition might not cure the problem.

But it's certainly up to you.:)

Good luck!

Cheers,
MM

Laith · 01 Mar 2016

Hey Moxie, i will run Chameleon. But i had plans to move over to Linux once i fully got my Ubuntu set up, so it wouldn't hurt to re-install if needed. I will try to run an anti-rootkit. I don't think the malware has created a hidden partition though, i installed Ubuntu about 4 days ago when the virus was still active in 7 but every partition i had was normal.

torchwood · 01 Mar 2016

Hi Laith,
MBam pro is not an Antivirus.
I would suggest you do an Eset on-line scan, might take a while.

Roy

Laith · 02 Mar 2016

Yeah, i know it isn't an antivirus and okay I'll do that. Also the virus recreated itself.

Laith · 02 Mar 2016

Right off the bat ESET online scanner detects Win32/Sality.NBA, I'll close this if everything is OK after ESET did it's job. Also for those wondering why i didn't get an antivirus: I can protect myself from viruses, but i can screw up aswell.

MoxieMomma · 02 Mar 2016

Laith said:

Right off the bat ESET online scanner detects Win32/Sality.NBA, I'll close this if everything is OK after ESET did it's job. Also for those wondering why i didn't get an antivirus: I can protect myself from viruses, but i can screw up aswell.

If that's a true detection, then, yep, you will need to do a bare metal reinstall -- Sality is a true, file-infecting virus and AFAIK I don't think any tool will be able to fully remove it from the system.

I hope you get your system fixed,

MM