Need help with recurring virus

[Heartwork]

Hi guys, a couple weeks ago I was watching a stream on twitch.tv and my browser closed and a fake Windows Security Center popped up and started running a scan telling me I had to get the premium Windows security (I don't recall the exact name of what it was telling me I needed to get). Anyway I opened the task manager and saw a bunch of processes called "aak.exe" running so I figured that was the virus. I used "end process tree" to shut them all down then tried to run Avira (I had Avira and PrevX3.0 both running on my machine at the time). When I tried to open any program (Firefox, any program) it immediately hijacked that command and the fake antivirus started scanning again. I again shut it down with task manager and each time I tried to open something I'd have to go through the whole "open with" process and find the launcher. In the mean time I ran scans with Avira and PrevX3.0 and both found no problems so I opened firefox again to get the virus prompt and found the location of the .exe file from the task manager (it had put aak.exe into the C:\users\xxxxxx\AppData\Local folder). I deleted aak.exe and then tried to open Firefox again, but again had to go through the "open with" process. I downloaded CCleaner thinking the virus had forced all my applications to run through the aak.exe location which I had deleted. I cleaned my registry and everything worked fine so I figured I had gotten rid of it.

A week later the same problem occurred but instead of it been aak.exe it was running through ibh.exe. The file was in the same location and I took the same steps to temporarily fix it.

Since then I've run Lavasoft's AdAware and Avast and both have come up clean. Anyone have any help before I have to take that horrible plunge and reformat?

 

[jimbo45]

Hi there
I keep saying to people that the ONLY 100% successful way to cleanse a computer is to restore a CLEAN image from a recent backup --- if you don't have one then a new re-install is required.

I certainly would NEVER trust a "Cleansed" computer --- if AV software can't be guaranteed to be 100% effective why should we expect "cleansing" software to be 100% effective either.

Keep your OS / Programs on different drive(s) / partition(s) to your data / music / email etc.

BACKUP regularly -- plenty of good backup stuff out there -- Macrium, Acronis, Paragon etc etc.

These will also create bootable restore USB's / DVD's too so you can even recover after wiping the whole HDD clean.

A typical W7 restore will take at the most around 25 mins -- so BACKUP regularly -- it will save NO END OF HASSLE in these circumstances. You will generally only need to recover the OS partition -- your data will remain intact.

As an added level of protection you could create a W7 Virtual machine and ONLY do your web surfing from that machine. Then if it gets infected just ditch it and load a new VM. (When you create a VM you can "clone" it as well. Keep several clones available in case you have to get rid of a VM).

Cheers
jimbo

 

[Jacee]

Do you have Advanced Anti Keylogger on your machine?
AAK - aak.exe - Program Information

If not, do the following please:

Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop.
Double click on the flush.bat file to run it.Vista and Windows 7... right click the .bat file and choose to run as Administrator. Your computer will reboot itself.


Next, download TDSSKiller and save it to your Desktop.

• Extract the file and run it.
• Once completed it will create a log in the root directory (usually C:\).
• Please post the contents of that log in your next reply.

 

[Heartwork]

@Jacee
No, I don't have Advanced Anti-Keylogger. When I get back from work I'll do what you told me and post a log.

 

[Jacee]

Okay

 

[Heartwork]

As an aside, what I find interesting is two different .exe files have been the source of my problem (aak.exe and ibh.exe), is this a common thing for malware or trojans? The second time it occurred (with ibh.exe as the problem) Avast wanted me to "sandbox" my browser when I opened it, but again said my system was clean when I ran the scan.

 

[jimbo45]

Hi there
Just bite the bullet -- forget the "Monday Morning Quarterbacking" -- whatever went wrong has gone wrong and it really in this situation isn't any point in trying to analyse Why or How -- just FIX IT.

To Fix it I'd go for either of the solutions outlined in the my previous post in this thread. Also consider the VM option two.

Any other course of action will take you AGES and you can never be 100% certain that the problem has been REALLY solved.

Cheers
jimbo

 

[brianzion]

i suggest you run kaspersky free virus remover tool >> http://goo.gl/k2x1s i have used this with great success as well as clients and friends please follow the instructions.

Kaspersky Virus Removal Tool 2011

Kaspersky Virus Removal Tool 2011 is a free software intended to disinfect infected computers, removing viruses, Trojans, and spyware, as well as any other types of malware. Kaspersky Virus Removal Tool 2011 uses the same highly efficient algorithms for detecting malware as Kaspersky Anti-Virus. Algorithms include a full-functional anti-virus scanner, technologies developed for detecting vulnerabilities in installed applications and operating systems, and a technology for running scripts intended for removing complex and compound viruses. The utility can be used as a free anti-virus software.

Kaspersky Virus Removal Tool 2011 is not intended for real-time protection of computer. After the disinfection of the computer is complete, the application should be uninstalled from the hard drive and replaced with the real-time protection anti-virus

Kaspersky Virus Removal Tool 2011 provides no update function. The up-to-date version of the application with the latest version of anti-virus databases is always available on the website of Kaspersky Lab Technical Support service.

Advantages:

The application is absolutely free.
Simple application interface.
Installation on an infected computer. Including:
in Safe Mode of Microsoft Windows;
when a real-time protection of anti-virus is running.
The installation process does not require interaction with the user anymore.
Closing the main window is enough to uninstall the application form a computer.
Automatic scan and disinfection:
search of malware using signature databases;
heuristic analyzer;
search and neutralization of rootkits;
search of applications with known vulnerabilities;
non-signature search of malware based on "cloud" technologies (when Internet access is available).
Manual scan and disinfection:
collection of information about an infected computer and system;
interactive creation of disinfection scripts.
What's new in Kaspersky Virus Removal Tool 2011:

The user interface has been improved.
The application installation and uninstallation have been simplified.
A full-functional use of the application from a flash card has been implemented.
The process self-defense has been implemented.
The advanced disinfection has been improved.
Compatibility with real-time protection anti-virus applications has been improved.
Active use of the "cloud" technology of Kaspersky Security Network.

 

[Jacee]

Legitimate aak.exe file is not related to any security threats. However, a spyware or adware program can use the same or similar file named to compromise users.

So you have malware that will diquise itself.... and run at startup.

 

[jimbo45]

Hi everyone
I still think my solution (recover from a good backup or re-install) is the only sensible solution in this situation.

Had the OP followed one of my original suggestions --he would be UP AND RUNNING with a 100% clean computer had he done this between NOW (GMT 21.50) and the time of my previous post approx 2 hrs before..

Sometimes -- and I address this even to real GURU type guys -- time spent on analysing a "One off" type of scenario just isn't worth it if you can fix the entire problem using alternative methods that don't rely on post analysing the the original problem.

As an Engineer -- I just want to get stuff working again. If I'm the designer etc I would probably be more interested in the "Why it broke" scenario but in general I just want "to get the show on the road again" as fast as possible.

Cheers
jimbo

 

[Heartwork]

@jimbo45
I've been at work and haven't been able to do anything other than read forum posts.
On the topic of using a system restore, I tried to do that immediately once the attack hit but it appeared my system restore had been corrupted so I had to go to "plan B" and I thought I had eliminated the problem then it hit again.

 

[Heartwork]

Got home and ran the flush, my webrootkit went popped up and said system32/netsh.exe we trying to install each reboot and recommended a block, so I did... now I cqnt access the web on my comp, posting from phone

(EDIT). Apparently I have a restore point from 2 days ago, restoring to that point and will uninstall webrootkit and rerun the flush

 

[Jacee]

Are you running Webroot Antivirus/Spysweeper? I may be wrong, but I think Webroot hooks Layered Service Providers (LSP) which would be why it's not letting go of netsh winsock reset all

 

[Heartwork]

Ya that's it. I tried a system restore and my reboots are taking forever. Restore failed because it "could not access a file, probably due to an antivirus" . I uninstalled all but avira and ran again with same error message. Not sure what to do at this point

 

[Jacee]

Disable the proxy settings in Internet Explorer:
1) Under “Tools” in the browser tool bar select “Internet Options”.
2) In the “Internet Options” window that pops up, click the “Connections” tab at the top.
3) Click “LAN Settings” near the bottom of the “Connections” section.
4) If the “Proxy server” checkbox is marked with a check, click it to deselect/uncheck it.
5) Click “Ok” to close the “Local Area Network (LAN) Settings” window.
6) Click “Ok” to close the “Internet Options” window.
Reboot
Make sure "Proxy server" is still disabled under your LAN Settings.
Test whether internet connectivity is restored.

 

[Heartwork]

Ok system restore pushed through. Should I uninstall Webroot SecureAnywhere and flush again or is there a different course of action to take?

 

[Jacee]

Are you able to get on the Internet now?

 

[Heartwork]

Ya, I'm on right now.

 

[Jacee]

Let's see what DDS says ... it doesn't 'fix' anything, it just gives me the information I need to look at

Download DDS from one of these links:
Mirror 1 Mirror 2 Mirror 3

• Disable any script blocking protection
• Double click the dds icon to run the tool.
• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt <--- will be minimized in the task tray
• Save both reports to your desktop.

Include the contents of both logs in your next post.
The scan will instruct you to post Attach.txt as an attachment.

 

[Heartwork]

Copy + Paste the DDS text and add Attach.RAR as an attachment ya?