Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Virus help

16 Mar 2011   #1
noir07

windows 7
 
 
Virus help

hi everybody i'm new here, have recently been having problems with viruses and was wondering if anybody could help. i downloaded malwarebytes performed a scan and found 16 viruses which i quanrantined. here is the log below:



Malwarebytes

Database version: 6079

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

16/03/2011 21:21:30
mbam-log-2011-03-16 (21-21-25).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 321113
Time elapsed: 30 minute(s), 37 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
c:\Windows\Lliqia.exe (Trojan.Downloader) -> 4020 -> No action taken.
c:\Users\Stephen\AppData\Local\Temp\Ljh.exe (Trojan.Downloader) -> 3948 -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\KCSCPW1HKH (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A9YA3MI1CF (Trojan.Downloader) -> Value: A9YA3MI1CF -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU (Backdoor.Bot) -> Value: HKCU -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Lliqia.exe (Trojan.Downloader) -> No action taken.
c:\Users\Stephen\AppData\Local\Temp\Ljh.exe (Trojan.Downloader) -> No action taken.
c:\programdata\apzsefw75smoe87y1b\apzsefw75smoe87y1b\1.0.0.0\service.exe (Trojan.Autorun) -> No action taken.
c:\Users\Stephen\AppData\Roaming\microsoft\Run.exe (Trojan.Autorun) -> No action taken.
c:\Users\Stephen\AppData\Roaming\Winlogon.exe (Trojan.Agent) -> No action taken.
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> No action taken.
c:\Windows\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> No action taken.
c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> No action taken.
c:\Users\Stephen\AppData\Roaming\install\iexplorer.exe (Backdoor.Bot) -> No action taken.




i'm quite worried about passwords and account informaiton being accessed, any help would be greatly appreciated, thanx all


My System SpecsSystem Spec
.
16 Mar 2011   #2
Golden
Microsoft MVP

Windows 7 Ult. x64
 
 

Hi,

I notice from your scan log that no action was taken on these files. You need to re-run a FULL SCAN and then let Malwarebytes either quarantine/delete these infected items. Once you do that, re-post the scan log.

Also, tell us which anti-malware you have installed on your system, apart from Malwarebytes.

Regards,
Golden
My System SpecsSystem Spec
16 Mar 2011   #3
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

c:\Users\Stephen\AppData\Roaming\install\iexplorer.exe (Backdoor.Bot) -> No action taken.


What is a Backdoor.Bot?
This is a piece of malware that has worm, downloader, backdoor, keylogger and spy ability ... It is also a password stealer, and can harvest confidential data from the computer.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one, if not an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.

More info can be found below:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
How to report ID theft, fraud, drive-by installs, hijacking and malware? Security | DSLReports.com, ISP Information
When should I re-format? How should I reinstall?
When should I re-format? How should I reinstall? Security | DSLReports.com, ISP Information
If you choose to format and reinstall see this link for instructions:
Windows: reformat and reinstall - Cyberwalker.com
My System SpecsSystem Spec
.

17 Mar 2011   #4
I be he

Win 7 64 premium
 
 

Sandboxie is your friend
My System SpecsSystem Spec
17 Mar 2011   #5
Golden
Microsoft MVP

Windows 7 Ult. x64
 
 

Quote   Quote: Originally Posted by I be he View Post
Sandboxie is your friend
Sandbox won't help now, user has already been infected.
My System SpecsSystem Spec
17 Mar 2011   #6
noir07

windows 7
 
 

hi thank you all for the replies, here is the log with the quarantined actions takes:

Database version: 6079

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

16/03/2011 21:21:36
mbam-log-2011-03-16 (21-21-36).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 321113
Time elapsed: 30 minute(s), 37 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
c:\Windows\Lliqia.exe (Trojan.Downloader) -> 4020 -> Unloaded process successfully.
c:\Users\Stephen\AppData\Local\Temp\Ljh.exe (Trojan.Downloader) -> 3948 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\KCSCPW1HKH (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A9YA3MI1CF (Trojan.Downloader) -> Value: A9YA3MI1CF -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU (Backdoor.Bot) -> Value: HKCU -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Lliqia.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\Stephen\AppData\Local\Temp\Ljh.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\programdata\apzsefw75smoe87y1b\apzsefw75smoe87y1b\1.0.0.0\service.exe (Trojan.Autorun) -> Quarantined and deleted successfully.
c:\Users\Stephen\AppData\Roaming\microsoft\Run.exe (Trojan.Autorun) -> Quarantined and deleted successfully.
c:\Users\Stephen\AppData\Roaming\Winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\Stephen\AppData\Roaming\install\iexplorer.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

i also performed a ESET scan and here were the results:

C:\ProgramData\apZsefW75Smoe87y1B\apZsefW75Smoe87y1B\1.0.0.0\servace.exe probably a variant of Win32/Agent.LGHJRFD trojan cleaned by deleting - quarantined
C:\Users\Stephen\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\3dc414c1-18ee68a9 Java/TrojanDownloader.OpenConnection.AA trojan deleted - quarantined
C:\Users\Stephen\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\26cf81da-737c1a0a Java/TrojanDownloader.OpenConnection.AA trojan deleted - quarantined
C:\Users\Stephen\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\7061701b-47cdf919 probably a variant of Java/Agent.AF trojan deleted - quarantined


i currently use webroot, one problem i have been facing is that security centre keeps disabling itself everytime i start it.
My System SpecsSystem Spec
17 Mar 2011   #7
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Did you change all your passwords using a different computer, that you know is clean?

Let's flush the bad DNS cache and restore MS's Hosts file:
Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Right click to run as Administrator. Your computer will reboot itself.
My System SpecsSystem Spec
17 Mar 2011   #8
noir07

windows 7
 
 

hi thanx for the reply i have changed all the passwords,
is flushing bad dns through command prompt? also could you please direct me how to restore ms hosts file,
again thank you for all the help
My System SpecsSystem Spec
17 Mar 2011   #9
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Follow my above instructions to copy and paste the batch file on notepad.
It will do the work for you.
My System SpecsSystem Spec
17 Mar 2011   #10
noir07

windows 7
 
 

i did that and my computer has rebooted, however the problems are still continuing, and firefox keeps directing me to other website than i was intending to go on, i would do a system restore but security centre won't open so i cant, any advice on what to do next?
My System SpecsSystem Spec
Reply

 Virus help




Thread Tools




Similar help and support threads
Thread Forum
Possible Memory Leak Virus - Anti-virus detects nothing?
Hello, I am needing some support on what is exactly taking up all the RAM on my brother's PC as after about 8 hours of uptime, 65% of my Physical Memory is being used up with nothing really open. I did some research and found out it was a possible memory leak or virus, so I first tried to run...
Performance & Maintenance
how to fix / clean windows from ramnit virus and virut virus?
my windows infected ramnit virus and virut virus,how to clean them?
System Security
I have a virus and unable to run/download anti-virus software
Hi, This is my first time posting to the forum. I am not that knowledgeable with computers, but can follow basic instructions. My laptop is acting funny--I think I have a virus. However, I am unable to run any anti-malware or anti-virus software. I try to run McAfee and I get an error...
System Security
Want ideas for Virus removal if virus shows up in safemode CMD
Hi, Looking for general ideas on how everyone else handles a strong virus. If the virus is showing up in Windows regular mode, it opens in safemode and opens in safmode with command prompt. Besides the usual such as boot to repair mode and use system restore, dock hard drive to another pc and...
System Security
RPC Virus message in Action Center, though the virus seems to be gone?
So I was managing my Laptop (Compaq Presario CQ57 with Windows Home Premium SP1) after a long time away from it, I left it in the care of a friend of mine, I noticed a few strange things. 1) I couldn't update Windows. 2) I couldn't turn ON my firewall 3) Windows Security Center was missing....
System Security
Want are the best afforable anti-virus for a trojan virus
what anti-virus would be great at getting rid of a trojan virus some of the anti virus i have used told me i had one but could not delete it.
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 22:31.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App