Avast WEBforum
Other => Viruses and worms => Topic started by: toobusyforvirus on November 11, 2011, 02:54:45 PM
-
A program called AV Security 2012 automatically downloaded and installed itself through firefox last night. I couldn't get rid of it and it started saying legitimate things were illegal processes (like task manager, firefox, chrome, etc.) when I was trying to find a solution. It forced a system reset and I had just enough time to schedule avast's boot scan, but that didn't pick it up either. Now the system says windows has been restarted to apply updates and the virus is preventing me from doing anything.
I'm not sure what other information would help besides the fact that I'm using XP professional.
Is this a common virus with a good method of removing it, or will I have to reformat?
-
read it all before you start
Remove AV Security 2012 (Uninstall Guide)
http://www.bleepingcomputer.com/virus-removal/remove-av-security-2012
If you have no success with this, then follow this guide and attach all logs
http://forum.avast.com/index.php?topic=53253.0
Essexboy will then help you when he arrive here later today...
-
Thank you. I have to get to work, but I will definitely go through those steps when I get back.
I'm just wondering though, if/when I remove it, what's the best way to go about reformatting system and starting fresh while making sure that any rootkits or other nasty things don't stay in the system?
-
I have PMd Essexboy so he see this when he arrive here.
this rogue is sometimes bundled with rootkits, so i would follow Essexboys guide also and attach those logs, essexboy can then see if all is gone
he is usually in here around 08:00pm - 11:59pm UK time
-
Okay, I only have to work a few hours today,so I'll check back then.
I did have one thing I remembered that I need to ask. I use an external hard drive for most of my storage because my main isn't very big. Do these viruses bother messing around with those, or will I need to do some specific cleaning on the external after I get it off the pc?
-
Do these viruses bother messing around with those,
I dont think so.....but essexboy will give you all info as he is removing lost of these every week
-
Okay, I'm borrowing a laptop to work on. I've already got the malware bytes exe loaded up on a flash drive. I printed out a copy of the "bleepingcomputer" page you sent me in case I lose wireless here (my pc is hardwired to my cable modem, but this laptop is connected to my family's wireless a few apartments over so the connection is kinda dodgy). I've had my computer turned off ever since this morning.
Now that I'm not in a rush to get out the door I can elaborate on what happened. It jumped on my pc and gave me fits last night, so my first reaction (with relatively little system security knowledge) was to run avast, CCleaner (I had something earlier in the year and a lot of tech sites were saying that program was supposed to fix that particular virus or trojan or whatever so I kept it installed in case I had the same trouble again), and threw up peerblock in case it helped (usually that thing is good about not letting sketchy adds connect, but I turned it off that evening because it seemed to be interfering the starcraft streams on teevox). I don't imagine it was a bright idea to leave the system running with that thing active, but I thought running avast and the ccleaner would take care of it, so it had an hour or two of uptime to mess around with stuff. I started going through task manager to close a couple processes I didn't recognize as a normal system process, but the virus didn't like that and activated an automatic reboot countdown so I quickly told avast to schedule a boot scan because I figured avast might be able to catch it if the virus isn't running and mucking about in windows yet. It popped up a couple suspicious files that had something to do with Java, and I chose "move all to chest" so I wouldn't have to babysit the thing (I thought moving to chest or vault or whatever is the safe thing to do, but maybe I was wrong). Unfortunately I waited about an hour for the bootscan to finish (it was actually moving at a pretty good pace, but my main was pretty full so it takes a while) and it wasn't even past saying 0% so I went to bed. When I got up in the morning the screen was displaying the windows user login page (I thought it would stay in the boot with the results of the scan, but it didn't) so I logged on to find out if avast had some good news for me. Windows said it had automatically restarted to apply an update, and had that little green shield sitting in the tray, so I have no idea if that's legit, or if the virus ran a fake update and infected even more of the system. I immediately started noticing the same shenanigans the virus was doing last night, so I turned the computer off (hard turnoff of at the power button) and started looking for alternatives. I came here this morning, and you know the rest. :)
Side question... My pc has a wireless card, but I never really got it to work properly so if some of the troubleshooting involves booting all the way back into windows should I be worried about the virus getting onto the network or other's in the vicinity? I figure if that would have happened it would've happened in the first few minutes of mucking about on my machine.
edit: I forgot to ask...
The virus was interfering with pretty much anything I tried to do. Should I go ahead and turn it back on to follow the guide, or wait for Essex(the local guru I gather?) just to be safe?
-
Hi lets see if we can kill this dead. Do not allow the other computers to access the sick one
Download
RogueKiller (http://www.sur-la-toile.com/RogueKiller/) to your desktop
[list=1]
- Quit all running programs
- For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
- When prompted, type 2 and validate
- The RKreport.txt shall be generated next to the executable.
- If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.
THEN
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
CREATERESTOREPOINT
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
-
Hi! Thanks for your help. I'm trying to get everything I need on one USB so if it gets infected then I won't have to put the usb back in this laptop.
Currently the usb is empty except for...
mbam setup
rkill
tdsskiller
hosts perm
hosts
otl
aswmbr
and now downloading the one you just told me to.
Is there anything else I should prepare?
edit: It sounds like you're giving me directions for the computer already being running in windows. should I start in the safe networking mode, or should another mode be chosen?
also, sorry if my responses seem slow, my connection isn't very good on this laptop. :)
-
Nope that looks good.... Just run RogueKiller and OTL initially as we do not want to kill any of the wrong files
I have attached the data to input into OTL for the scan as scan.txt download that to the USB and just drag and rop it into the OTL scan window
-
Safe or normal mode - your choice it will work in either
-
okay, I'm logging into the avast webforum on the pc (it's letting me use firefox now) so I can paste the page (it's way to long for me to manually transcribe)
-
RogueKiller V6.1.7 [11/05/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode with network support
User: RED [Admin rights]
Mode: Remove -- Date : 11/11/2011 17:34:38
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 4 ¤¤¤
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED ()
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED ()
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED ()
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED ()
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
46.4.179.109 google.com
46.4.179.109 yahoo.com
46.4.179.109 bing.com
46.4.179.109 facebook.com
46.4.179.109 yahoo.com
46.4.179.109 bing.com
46.4.179.109 facebook.com
46.4.179.109 yahoo.com
46.4.179.109 bing.com
46.4.179.109 facebook.com
Finished : << RKreport[1].txt >>
RKreport[1].txt
-
That's the result of the roguekiller program.
-
OK I can see where to go from that and with OTL I should be able to remove the majority
-
oops. I forgot to click "all" in the boxes before running the custom scan, and I didn't see an "all users" option
-
should i terminate the scan and check the all users box (I can't believe i missed that)
-
There's only two users though. The one I'm logged in on and the admin account.
edit: It's said manual file scan for a while now. Is that normal?
-
If you could attach the log - I will work from the initial one first, then look at all users later
-
The log popped up, is it normal for the txt file to be really laggy?
Also, there is an OTL.txt, and an Extras.txt
-
Until I remove the malware - yes
Attach the log like this
-
I tried posting the OTL.txt, but it says the maximum length is 10000 characters
Okay, I see.
-
Yes you need to attach it, use the additional options link at the bottom of the post
Browse to the log and post
-
Here they are.
edit: running the "scan all users" version now.
-
I think this is the one from the "all users" option. It may or may not have saved over the original file.
The "all users" version only took a few seconds, is that normal?
-
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Download the attached fix.txt to the desktop of the affected system
Run OTL and press run fix
A dialogue will pop up asking for the location
Select the fix.txt on the desktop and press run fix again
-
Here's the fix log from the first step.
-
You ran the scan.txt again... Please use the one marked fix.txt
Or run it this way
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
SRV - File not found [On_Demand | Stopped] -- -- (MMMMEHZIL)
O3 - HKLM\..\Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O4 - HKLM..\Run: [HKK88fRZ9hYXjU8234A] C:\WINDOWS\system32\AV Security 2012v121.exe (Microsoft Corporation)
[2011/11/11 08:32:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\RED\Application Data\PCwkUVrlOtPuSi
[2011/11/11 08:32:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\RED\Application Data\mD3pnG5aQ6
[2011/11/11 08:25:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\RED\Application Data\yF4pmH5sQ7E
[2011/11/11 08:25:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\RED\Application Data\P6sWK7fRLgXjCkB
[2011/11/11 01:05:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\RED\Start Menu\Programs\AV Security 2012
[2011/11/11 01:05:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\RED\Application Data\kYYCCekIVrzOyx0
[2011/11/11 01:05:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\RED\Application Data\DHH6ssWJ7fELgTq
[2011/11/11 01:05:03 | 000,000,000 | ---D | C] -- C:\Program Files\C7448
[2011/11/11 01:04:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\RED\Application Data\A48C7
[2011/11/11 01:04:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\RED\Application Data\bFF33mG5sQ6dE8R
[2011/11/11 01:04:41 | 002,914,816 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\AV Security 2012v121.exe
[2011/11/11 01:04:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\RED\Application Data\P6ddEEK8gRZhYwk
[2011/11/11 01:04:41 | 002,914,816 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\AV Security 2012v121.exe
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Oh, okay, I thought I clicked on run fix. My bad, I'll try again.
-
I will be going offline shortly but once you have run the fix - you should be nearly back to normal
Once the fix has completed and rebooted the computer then run Mawarebytes
-
here's the file that popped up when I rebooted after the fix.
Is that what we want?
-
Thanks for all your help. You're amazing! Is there any way I can order you like some pizza or take-out or something for your trouble?
-
rember to update Malwarebytes before you run the quick scan....
-
I checked the update box in the installation dialog when it gave me choices for update after installation and run after installation.
-
I did tell it to run a full scan instead of a fast scan though. How long should that take, assuming it's a few hundred gig drive that's nearly full. It's been chugging away at scanning rosetta stone files for about 5 minutes or so now LOL
-
well...i guess we will see that log tomorrow then....
if it find anything you click the "remove selected" button to send it to quarantine
-
I stopped it after finding 5 because it looked like it was going to take forever. Ran a quick scan and found 11. I'll add the logs from those in a minute. I'm just going through all the procedures that everyone linked me to to make sure I get rid of everything. I'll run the full scan when I go to sleep so it should be finished in the morning.
-
your log say "NO ACTION TAKEN"......did you not click the "REMOVE SELECTED" button after scan ?
if you have to run it again remeber to UPDATE first
-
I have the same problem here is the Rogue Killer information:
Ladyaseret
*************************************
RogueKiller V6.1.7 [11/05/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: Teresa [Admin rights]
Mode: Remove -- Date : 11/12/2011 03:14:03
¤¤¤ Bad processes: 6 ¤¤¤
[SUSP PATH] MossySkySA.exe -- C:\Users\Teresa\AppData\Local\MossySkySA\bin\2.0.15.0\MossySkySA.exe -> KILLED [TermProc]
[SUSP PATH] visicom_antiphishing.exe -- C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe -> KILLED [TermProc]
[SUSP PATH] Linkury.exe -- C:\Users\Teresa\AppData\Local\Linkury\Application\Linkury.exe -> KILLED [TermProc]
[SUSP PATH] netsession_win.exe -- C:\Users\Teresa\AppData\Local\Akamai\netsession_win.exe -> KILLED [TermProc]
[SUSP PATH] netsession_win.exe -- C:\Users\Teresa\AppData\Local\Akamai\netsession_win.exe -> KILLED [TermProc]
[SUSP PATH] AV Security 2012v121.exe -- C:\Users\Teresa\AppData\Roaming\WWWJJ7ffE\AV Security 2012v121.exe -> KILLED [TermProc]
¤¤¤ Registry Entries: 7 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : MossySkySA ("C:\Users\Teresa\AppData\Local\MossySkySA\bin\2.0.15.0\MossySkySA.exe") -> DELETED
[SUSP PATH] HKCU\[...]\Run : Akamai NetSession Interface (C:\Users\Teresa\AppData\Local\Akamai\netsession_win.exe) -> DELETED
[SUSP PATH] HKCU\[...]\Run : Linkury Chrome Smartbar (C:\Users\Teresa\AppData\Local\Linkury\Application\Linkury.exe startup) -> DELETED
[SUSP PATH] HKLM\[...]\Wow6432Node\Run : Anti-phishing Domain Advisor ("C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe") -> DELETED
[SUSP PATH] RunAsStdUser Task.job : C:\Users\Teresa\AppData\Local\MossySkySA\bin\2.0.15.0\MossySkySA.exe -> DELETED
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED ()
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED ()
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
Finished : << RKreport[1].txt >>
RKreport[1].txt
-
@ladyaseret
when having problems, start your own topic....as helping multiple users in the same thread will only be chaos
also every fix essexboy make is different for every computer so must only be run on the computer it is made fore...or else damage may occure
follow the instructions here and attach all logs also the one you posted here
http://forum.avast.com/index.php?topic=53253.0
also see DavidR post there how to start a new topic
-
Sorry I am way new at this.
-
Could you now run a fresh OTL log please and let me know what the current problems are ;D
-
Hello, I think I either got the same thing again, or it missed a file last time because it popped back up again.
I had malwarebytes from before and left it on because it seemed to be doing a pretty good job, but it kept saying that it had expired. My skyrim crashed on a loading screen and rebooting was all I could do to fix it. When the system rebooted I saw malwarebytes start running in the tray and I figured since it was expired it wasn't doing anything so I told it to exit (d'oh) then I went on demonoid to look for old tv shows and didn't close the dumb pop up they always have fast enough, and accidentally brushed the mouse button as I was mousing down to the taskbar to close it. Amazingly enough the same security program started running again.
The weird thing though is that this time I tried booting in safe mode with networking like before and that program started up there too (I don't remember it doing it in safe mode last time).
Any ideas where I should start?
-
I almost forgot to add, it was also preventing me from reopening malwarebytes.
I remember that safe mode gave me an option for system restore. Should I use that, or would it still be there?
-
Ok lets start from square one then could you run a fresh OTL scan please
-
I like seeing that RogueKiller run output. Shows one main issue with these rogues; how they write malware IPs to the localhost file. People have to start locking down access to their localhost file.
-
Okay, I'll try and run that again. (sorry it took so long, been stuck in lab revising papers all day XD )
Is it okay if I run it while the virus is going though? Because the virus was running even during safe mode when I tried that.
I think I already deleted the files on the computer and may have to make another usb drive.
-
I'm getting a lot more activity from the virus this time. Last time I was able to open mozilla in safe mode and now I can't.
Roguekiller isn't giving me a prompt or anything it just says...
searching bad processes
[susppath] csq.exe <1316> ->killed [termproc]
searching hidden processes running
searching bad services running
driver loading : [1084]error
searching for new version online
I triedfinding a new version of roguekiller online, but this laptop is saying norton blocked a malicious attack from the roguekiller site when I tried to use the download link
-
I keep trying to use the roguekiller program to turn the virus off so I can use the other tools, but I can't use it now either. clicking on the roguekiller.exe just opens morevirus windows.
I feel stuck here.
-
first attachment from selecting scan in rogeukiller...
-
second attahment from running "2" in roguekiller
-
Okay, here's the OTL log thing.
-
I guess I'll catch up with you tomorrow on what to do with those logs, but I figured I'd go ahead and reinstall/run malewarebytes anyway just to see if it could catch some of it.
Here's the log from that if it helps anything. :)
-
I went ahead and ran the OTL scan again after trying malwarebytes just to see if it picked up anything different.
-
I ran a full scan with malwarebytes and this is the log...
-
I tried logging in under normal conditions (not safe mode), and ran the roguekiller program again with the updated version which produced this log saying something about a rootkit...
edit: went ahead and ran otl again too in case something changed. log attached
-
I think I had bad timing the other day so I'm going to try running everything again in case updated logs are needed. :)
I'm currently using the standard windows login. I have ran roguekiller a couple times today. Earlier it wasn't returning anything, but it just started showing the same zeroaccess thing it did last night. Log is attached.
Scanning with OTL and originally provided settings atm, will have results in a moment.
Now attaching the up-to-date OTL log...
-
OK you have a little nasty there
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
[2011/12/12 18:15:45 | 000,004,376 | -HS- | M] () -- C:\Documents and Settings\RED\Local Settings\Application Data\mecdvr8m3quf5hlt0dpk8r678y5c
[2011/12/12 18:15:45 | 000,004,376 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\mecdvr8m3quf5hlt0dpk8r678y5c
[2011/12/11 21:06:42 | 000,329,216 | ---- | M] () -- C:\Documents and Settings\RED\Local Settings\Application Data\csq.exe
[2011/01/16 16:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\Documents and Settings\RED\Local Settings\Temp\RarSFX0\procs\explorer.exe
[2005/08/16 02:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Documents and Settings\RED\Local Settings\Temp\RarSFX0\h\explorer.exe
[2009/05/26 19:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Documents and Settings\RED\Local Settings\Temp\RarSFX0\userinit.exe
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif)
On completion of the scan click save log, save it to your desktop and post in your next reply
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif)
-
Ahh, thanks! Running OTL again now! :)
-
OTL says processing complete, but has removed everything, but the desktop background. Is it safe to do a hard boot, or should I try closing OTL and see if that lets me access a shutdown menu?
-
So that's quick scan with nothing in the custom scan/fixes field?
-
Here's the OTL log...
Hmmm... I've been running the new aswmbr.exe you linked and it's been spending a lot of time in it's scan going over the roguekiller.exe
It's been scanning the RK file for a few minutes now.
Could it have been infected somehow? I know I got a malware warning from norton on the laptop I'm borrowing the first time I clicked the download link on the RK site (the one that is like half in french?). Could that be a problem
-
No the file is good
What are the problems when you boot to normal mode ?
-
The aswmbr has slowed to a crawl, is this normal?
Here's what it's displayed so far...
http://ctrlv.in/51528
It shows a couple of locked files, but has steadily decreased in speed and has now been on the file shown for a while.
I'm not sure what you mean by "problems when I boot to normal mode".
Using the roguekiller before and then reinstalling the malewarebytes (it removed 1 item on a quick scan, and 5 on a full scan, I posted the logs earlier) has prevented the av 2012 from popping up, but the roguekiller is still saying there's a rootkit.
edit: it's still on that file in the picture. should I try running it in normal mode? would that allow it to scan faster (everything seems slower in safe mode?)?
-
Okay, it just decided to finish really quickly for some reason. Here's the log from it...
-
Yes boot to normal mode as the locked files are suspicious
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Hmmm, don't see an option to simply turn off avast. I also can not end avast from processes.
-
Right click the Avast ball and select shield control
Select disable until reboot
Do not let Avast sandbox or quarantine anything whilst combofix is running
-
Okay, I got combfix to run, and it popped up a dialog box saying...
this machine does not have the microsoft windows recovery console installed. alternately, an existing installation of the recoveryconsole may be present but requires updating.
without it, combofixshall not attempt the fixing of some serious infections
click yes to have combofix download and install it
not: this requires an active internet connection.
what do I do now?
edit: I went ahead and let it download what it wanted to. now it said it's scanning for files
it popped up a dialog saying the computer was infected with a rootkit, then went back to scanning in it's blue command prompt window. now it says"rootkit is detected be patient this may take some moments"
-
It didn't produce a log, it just said it had to reboot the machine.
-
Has it rebooted ?
If not wait for ten minutes or so and reboot manually
-
It went through a lot of scans (30 something at last check) and is now rebooting.
It says preparing log report. I will attach that as soon as it finishes.
It says don't run any programs, but malewarebytes and peerblock started up automatically. should that be a problem?
-
No not a problem - the log may take a while to prepare as the data is all gathered
-
Okay, it just finished and produced the log.
Did that actually fix the problem? Because I noticed the whole genuine windows thing that I always ignore on boot up is gone. Could that have been a part of it?
-
Do the results of the log mean that it is clean, or that we know what program to run next?
Also, I have a new file on my desktop titled "MBR" which is listed as an ArmyBuilder file used by my warhammer 40k application. It wasn't there before, is that normal or something worth noting?
Is there any use for all the logs that have been saved to the desktop for use in dealing with future problems? I'll attach those if they can be helpful in any way :)
-
It killed the two locked services and the main malware folders
How is the computer behaving now ?
-
It seems pretty good. Like I said, it seems to have killed that genuine advantage thing that automatically pops up too (incidentally, ever heard if those are legit or not? it looked official, but even then sounded sort of sketchy like something that would monitor activity). I never thought to take a screenshot before, but the logo on it looked like this...
http://www.google.com/imgres?q=windows+genuine+advantage&um=1&hl=en&biw=1014&bih=629&tbm=isch&tbnid=plmhVOhxpeBLnM:&imgrefurl=http://www.jauhari.net/how-to-remove-windows-genuine-authentication&docid=1cfMBtxkzW4JyM&imgurl=http://static.jauhari.net/engine/wp-content/uploads/2010/09/WGA-Logo.png&w=256&h=256&ei=O-HnTsDDCMHFsQLr9uz7CA&zoom=1&iact=hc&vpx=100&vpy=217&dur=4745&hovh=204&hovw=204&tx=138&ty=72&sig=115971764693900836115&page=2&tbnh=119&tbnw=119&start=15&ndsp=15&ved=1t:429,r:0,s:15
Sorry to go on a tangent there. :)
Is there anything I should run to verify completely that there's nothing else left in the system or that nothing reinstalled itself after the fix?
-
I assume your running WIN 7? I never saw a post by you stating what OS you were running.
In WIN 7, Windows Genuine Advantage balony is built into the OS install. In other words, you get it whether you want it or not. You should not be getting any popups stating to install it that I am aware of.
In XP, it's a separate download via WIN Updates. If you don't install it, the only updates you can download are security related. The WGA alert would only occur when you access the Windows Update site as I recall.
Not sure about Vista since I never installed it.
-
I thought I posted windows XP in one of the first responses. Thanks for clarifying that though. I didn't know enough about it to install it, but when I noticed that it did not automatically run it's dialog box after this last reboot I started suspecting that it may have been bundled with the rootkit or previous virus all along.
^_^ http://buttersafe.com/2008/10/23/the-detour/ very true in my case.
-
I found a folder on the C drive called Qoobox which implies it contains quarantined files. Is there somewhere those should be sent for analysis or something?
-
No if it found them then they are known so no upload is required
Could you now run MBAM and a fresh OTL scan please and then let me know what problems remain
Please download Malwarebytes' Anti-Malware[/b] (http://www.malwarebytes.org/mbam-download.php)
Double Click mbam-setup.exe to install the application.- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish, so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.[/b]
-
I ran a full run of malwarebytes while I was at work today, and it turned up with nothing detected! :D
I'll go ahead and run OTL again just to be sure.
Thanks for all the help bud, couldn't have done it without ya! :)
-
Here's the final (hopefully) OTL log. :)
-
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[CLEARALLRESTOREPOINTS]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Remove ComboFix- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall
(Notice the space between the "x" and "/")
then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif) Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:- Go to this site (http://java.com/en/) and click Do I have Java
- It will check your current version and then offer to update to the latest version
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)Keep safe :wave: