Solved Virus Help Needed

[ionbasa]

Just today I got an Virus on one of my home computers. It disabled MSE and disallows me from accessing any resources, running programs, or starting the task manager or system tools like cmd.

I can still access Safe Boot mode and ran MSE from safe boot, but the virus/ rouge AV is still on the computer, other than that It turns the desktop a blue color and floods my router with high pings, I can see this from router logs.

Here are some pics, I had to take them with my cell because it disabled the Snipping Tool.




Any help on removing this rouge AV would be much appreciated!

 

[Maguscreed]

boot in safe mode with networking
http://www.sevenforums.com/tutorials/69585-safe-mode.html

If that keeps it from launching at that point you can download install and allow to update malwarebytes antimalware
Malwarebytes (free version)

Run a full scan and let it do it's thing and clean it out.
That should return you to a position where you can boot normally.

If you can't launch any applications the attached file should return that to normal (all this still needs to be done in safe mode.)

 

[ionbasa]

I am able to boot into safe mode and am running a full scan with malwarebytes right now, I will post the log files as soon as it finishes.

 

[Maguscreed]

when it's done it will give you the option to clean up the mess it finds on the ...bottom right I believe, it's been so long since I was actually infected with anything I'm not sure I'm remembering that little detail right.

It does a great clean up job though.
It should get rid of the problem.
Worst case scenario is afterwards you'll need to use startup repair to get it booting right again.
http://www.sevenforums.com/tutorials/681-startup-repair.html

We don't want to use system restore right now though, as the restore files may actually contain the virus. Depending on how sneaky it was.

 

[ionbasa]

when it's done it will give you the option to clean up the mess it finds on the ...bottom right I believe, it's been so long since I was actually infected with anything I'm not sure I'm remembering that little detail right.

It does a great clean up job though.
It should get rid of the problem.
Worst case scenario is afterwards you'll need to use startup repair to get it booting right again.
http://www.sevenforums.com/tutorials/681-startup-repair.html

We don't want to use system restore right now though, as the restore files may actually contain the virus. Depending on how sneaky it was.

OK, Its been running the scan for about 35 minutes now, I have used MalwareBytes before and I know what you mean about having to go back and deleting the files because it Quarantines them.

 

[ionbasa]

I successfully managed to remove the infected files, I have included the log files, I ran a quick scan first and then a full scan.
View attachment mbam-log-2011-03-31 (20-00-54).txt

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

3/31/2011 8:00:54 PM
mbam-log-2011-03-31 (20-00-54).txt

Scan type: Quick scan
Objects scanned: 154371
Time elapsed: 3 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fCd16633iHkPb16633 (Trojan.Agent.Gen) -> Value: fCd16633iHkPb16633 -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\fcd16633ihkpb16633\fcd16633ihkpb16633.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\Users\basa\local settings\temporary internet files\Content.IE5\ZWQ3XI6W\download[1].exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

View attachment mbam-log-2011-03-31 (20-47-25).txt

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6231

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

3/31/2011 8:47:25 PM
mbam-log-2011-03-31 (20-47-25).txt

Scan type: Full scan (C:\|)
Objects scanned: 269605
Time elapsed: 41 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\basa\AppData\Local\microsoft\Windows\temporary internet files\Low\Content.IE5\60IKWZ5T\antispy2011setup[1].exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\Users\basa\AppData\Local\microsoft\Windows\temporary internet files\Low\Content.IE5\N6JD1KBM\antispy2011setup[1].exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\Users\basa\AppData\Local\microsoft\Windows\temporary internet files\Low\Content.IE5\N6JD1KBM\antispy2011setup[2].exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

 

[Borg 386]

Here are a couple of other options in case Malwarebytes doesn't get it out of the system. Even if MB does remove it, it would be a good idea to run your AV or these tools and do a full system scan while disconnected from the net. Once you get a virus, it's hard to tell how much of it is left behind. And unfortunately, even one tiny file can cause it to come back and reinstall.

Microsoft Windows Malicious Software Removal Tool

Download details: Microsoft® Windows® Malicious Software Removal Tool (KB890830) x64

Norton Power Eraser

http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default

 

[Golden]

Hi ionbasa,

Looks like Malwarebytes did the trick - its very good software.

As an additional check, can I suggest performing an online scan using the ESET on-line scanner? This just helps to give some comfort that nothing has slipped through the cracks.

Regards,
Golden

 

[Hopalong X]

Below is courtesy of JACEE!


I just copied and pasted.
You can run it in safe mode with network if needed.
Also when done you can leave the download which is definitions on your PC and next time it will just update definitions and run.
Much quicker if needed again later.
First time I used it was for testing. The second time I was actually doing a virus check as you would be doing.
Saved 5-10 minutes on second run.
Mike


See if Eset finds anything ...

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the
   
   button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on
      
      to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the
      
      icon on your desktop.
4. Check
   
5. Click the
   
   button.
6. Accept any security warnings from your browser.
7. Check
   
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
    
11. Push
    
    , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the
    
    button.
13. Push
    

 

[ionbasa]

okay, Thank you for all the help, MB fixed it and than ran eset and all was clean.

 

[Maguscreed]

Good deal.