BleepingComputer.com: Am I infected: FakeSysDef and maybe others

I have a custom built computer running Windows XP Pro SP3. Last night I picked up some trojans that started running fake virus scans. I trired to clean them out using RKILL and MBAM in safe mode and have had no more symptoms. Unfortunately I didn't keep track of the five or so infected files found. However, this evening Microsoft Security Essentials reported that it had automatically removed FakeSysDef. I have read that this trojan tries to keep reinstalling itself and I want to remove it permanently.

1. How can I verify whether or not I still have trojans and viruses from this attack?
2. If I do, how do I get someone to assist me to remove them.

Thank you so very much! My entire weekend has been ruined by this, so I appreciate any help I can get.

Can you post the logs from MBAM, and post the findings from rkill?

cryptodan, on 14 May 2011 - 07:01 PM, said:

Rkill definitely didn't kill any processess. Unfortunately I deleted the MBAM logs. I know that was stupid, but virus attacks tend to give me panic anxiety and then I don't always think clearly.

I am currently running Microsoft Safety Scanner and it says it has found five infected files, but it's not done scanning yet. If it creates a log, I will post it.

I have a follow-up question: Should I always run MBAM in safety mode? Is there any benefit to running it in normal mode?

Running it in Normal Mode will give mbam access to more files and paths.

Should I run Rkill before running MBAM also when I'm not in safe mode? Alsp, where are the MBAM logs stored?

they are stored in the logs tab.

Run rkill before mbam.

Ok, so I've just started with Safe Mode. I ran RKILL and it did not find anything and I'm now duing a full scan with MBAM. Then I'll do the same thing in Normal Mode. I'll post logs when it is done.

I do have a question about MBAM: When it says it's detected something and wants to remove it, it always want to restart afterwards to complete removal. Does it matter then if I restart into Safe Mode or Normal Mode?

This post has been edited by Hoppochtro: 15 May 2011 - 12:29 PM

This is my Rkill log from my most recent run [in safe mode]:

This log file is located at C:\rkill.log. 
Please post this only if requested to by the person helping you. 
Otherwise you can close this log when you wish. 

Rkill was run on 05/15/2011 at 13:19:51. 
Operating System: Microsoft Windows XP 


Processes terminated by Rkill or while it was running: 



Rkill completed on 05/15/2011 at 13:19:55. 

This is my MBAM log immediately afterwards:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6585

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

5/15/2011 2:29:48 PM
mbam-log-2011-05-15 (14-29-48).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 431698
Time elapsed: 1 hour(s), 7 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

The good news is that I found my old MBAM logs still intact. I will reproduce them below to document what happened and describe why it is I'm still nervous.

This post has been edited by Hoppochtro: 15 May 2011 - 02:55 PM

So here is a more complete history of what happened. Once my computer was attacked and I started getting a flurry of fake anti-virus program windows I ran RBAM in safe mode (after RKill), and got this:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6572

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

5/14/2011 3:19:55 AM
mbam-log-2011-05-14 (03-19-55).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 431106
Time elapsed: 1 hour(s), 7 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vKLuVrOIsaEYCN (Rogue.Installer.Gen) -> Value: vKLuVrOIsaEYCN -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\vkluvroisaeycn.exe (Rogue.Installer.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{d99be063-069c-4ba3-8219-5cbe432e0128}\RP1853\A0358406.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\17227556.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

After that I rebooted into normal mode than into safe mode and repeated the process and it found one more infection:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6576

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

5/14/2011 8:28:34 AM
mbam-log-2011-05-14 (08-28-34).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 431166
Time elapsed: 1 hour(s), 8 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{d99be063-069c-4ba3-8219-5cbe432e0128}\RP1853\A0360198.exe (Rogue.Installer.Gen) -> Quarantined and deleted successfully.

After that I repeated the process and got a clean report card:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6576

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

5/14/2011 9:40:38 AM
mbam-log-2011-05-14 (09-40-38).txt

Scan type: Full scan (C:\|)
Objects scanned: 389255
Time elapsed: 1 hour(s), 0 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I repeated the same thing at 3:42 pm and got a clean report again.

Now here is what makes me nervous: At around 6 pm Microsoft Security Essentials reported that it had detected and removed FakeSysDef. Between 3:42 pm and 6 pm I was, as far as I can recall, not even using the computer. This is why I am worried whether or not I really have a clean system.

Right now I'm going to run RKill and MBAM in normal mode.

This is the RKill log in normal mode:

This log file is located at C:\rkill.log. 
Please post this only if requested to by the person helping you. 
Otherwise you can close this log when you wish. 

Rkill was run on 05/15/2011 at 14:51:41. 
Operating System: Microsoft Windows XP 


Processes terminated by Rkill or while it was running: 



Rkill completed on 05/15/2011 at 14:51:44. 

MBAM is running now.

Is there any problem with running MBAM with Microsoft Security Essentials on?

MBAM detects nothing:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6585

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/15/2011 4:33:51 PM
mbam-log-2011-05-15 (16-33-51).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 415520
Time elapsed: 1 hour(s), 41 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I guess my course of action now is hope for the best and see if anything pops again. Any other suggestions? I'm still baffled why a virus was caught by MSE after MBAM had decleared it cleaned and I was not even using the computer.

I would like for you test the computer out, and see if you have any residual issues.

cryptodan, on 15 May 2011 - 05:45 PM, said:

You mean just use it as normal and see if anything strange is happening?

After the first clean-up, I had some issues with destop icons and Start Menu items in the All Users folder being hidden, but those were easily fixed. Apart from that it seems normal.

This post has been edited by Hoppochtro: 15 May 2011 - 05:56 PM

Yeah run the machine as if it wasn't infected, and see if you have some residual issues.